Merge "Add {priority,runtime}ClassName for db-sync" into stable/2024.1diff --git a/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml b/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml
new file mode 100644
index 0000000..4a7a43b
--- /dev/null
+++ b/releasenotes/notes/add-extra-keycloak-realm-options-a8b14740bd999ebb.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - The Keystone role now supports additional parameters when creating the
+ Keycloak realm to allow for the configuration of options such as password
+ policy, brute force protection, and more.
diff --git a/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml b/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml
new file mode 100644
index 0000000..cb2d445
--- /dev/null
+++ b/releasenotes/notes/add-mfa-config-options-6f2d6811bca1a789.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - The Keystone role now supports configuring multi-factor authentication for
+ the users within the Atmosphere realm.
diff --git a/releasenotes/notes/allow-configuring-ingress-class-name-0c50f395d9a1b213.yaml b/releasenotes/notes/allow-configuring-ingress-class-name-0c50f395d9a1b213.yaml
new file mode 100644
index 0000000..23172db
--- /dev/null
+++ b/releasenotes/notes/allow-configuring-ingress-class-name-0c50f395d9a1b213.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ All roles that deploy ``Ingress`` resources as part of the deployment
+ process now support the ability to specify the class name to use for the
+ ``Ingress`` resource. This is done by setting the
+ ``<role>_ingress_class_name`` variable to the desired class name.
diff --git a/releasenotes/notes/allow-using-default-cert-b28067c8a1525e1f.yaml b/releasenotes/notes/allow-using-default-cert-b28067c8a1525e1f.yaml
new file mode 100644
index 0000000..aac6ce0
--- /dev/null
+++ b/releasenotes/notes/allow-using-default-cert-b28067c8a1525e1f.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ It's now possible to use the default TLS certificates configured within the
+ ingress by using the ``ingress_use_default_tls_certificate`` variable which
+ will omit the ``tls`` section from any ``Ingress`` resources managed by
+ Atmosphere.
diff --git a/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
new file mode 100644
index 0000000..2b52c90
--- /dev/null
+++ b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
@@ -0,0 +1,8 @@
+---
+security:
+ - The Horizon service now runs as the non-privileged user `horizon` in the
+ container.
+ - The Horizon service ``ALLOWED_HOSTS`` setting is now configured to point
+ to the configured endpoints for the service.
+ - The CORS headers are now configured to only allow requests from the
+ configured endpoints for the service.
diff --git a/roles/barbican/defaults/main.yml b/roles/barbican/defaults/main.yml
index 8d2abc6..011e4d6 100644
--- a/roles/barbican/defaults/main.yml
+++ b/roles/barbican/defaults/main.yml
@@ -20,7 +20,11 @@
barbican_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
barbican_helm_values: {}
+# Class name to use for the Ingress
+barbican_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
barbican_ingress_annotations: {}
+
# Barbican key encryption key
barbican_kek: "{{ undef(hint='You must specify a Barbican key encryption key') }}"
diff --git a/roles/barbican/tasks/main.yml b/roles/barbican/tasks/main.yml
index d7261dc..d4992b6 100644
--- a/roles/barbican/tasks/main.yml
+++ b/roles/barbican/tasks/main.yml
@@ -30,6 +30,7 @@
openstack_helm_ingress_service_name: barbican-api
openstack_helm_ingress_service_port: 9311
openstack_helm_ingress_annotations: "{{ barbican_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ barbican_ingress_class_name }}"
- name: Create creator role
openstack.cloud.identity_role:
diff --git a/roles/cinder/defaults/main.yml b/roles/cinder/defaults/main.yml
index 9a2012f..51ac2dc 100644
--- a/roles/cinder/defaults/main.yml
+++ b/roles/cinder/defaults/main.yml
@@ -20,5 +20,8 @@
cinder_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
cinder_helm_values: {}
+# Class name to use for the Ingress
+cinder_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
cinder_ingress_annotations: {}
diff --git a/roles/cinder/tasks/main.yml b/roles/cinder/tasks/main.yml
index aa7b213..cde4251 100644
--- a/roles/cinder/tasks/main.yml
+++ b/roles/cinder/tasks/main.yml
@@ -40,3 +40,4 @@
openstack_helm_ingress_service_name: cinder-api
openstack_helm_ingress_service_port: 8776
openstack_helm_ingress_annotations: "{{ _cinder_ingress_annotations | combine(cinder_ingress_annotations) }}"
+ openstack_helm_ingress_class_name: "{{ cinder_ingress_class_name }}"
diff --git a/roles/designate/defaults/main.yml b/roles/designate/defaults/main.yml
index 7932b41..91bf556 100644
--- a/roles/designate/defaults/main.yml
+++ b/roles/designate/defaults/main.yml
@@ -20,6 +20,9 @@
designate_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
designate_helm_values: {}
+# Class name to use for the Ingress
+designate_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
designate_ingress_annotations: {}
diff --git a/roles/designate/tasks/main.yml b/roles/designate/tasks/main.yml
index fe90969..e4c969d 100644
--- a/roles/designate/tasks/main.yml
+++ b/roles/designate/tasks/main.yml
@@ -34,3 +34,4 @@
openstack_helm_ingress_service_name: designate-api
openstack_helm_ingress_service_port: 9001
openstack_helm_ingress_annotations: "{{ designate_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ designate_ingress_class_name }}"
diff --git a/roles/glance/defaults/main.yml b/roles/glance/defaults/main.yml
index d747588..62c026b 100644
--- a/roles/glance/defaults/main.yml
+++ b/roles/glance/defaults/main.yml
@@ -20,6 +20,9 @@
glance_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
glance_helm_values: {}
+# Class name to use for the Ingress
+glance_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
glance_ingress_annotations: {}
diff --git a/roles/glance/tasks/main.yml b/roles/glance/tasks/main.yml
index 32cf42c..c36357f 100644
--- a/roles/glance/tasks/main.yml
+++ b/roles/glance/tasks/main.yml
@@ -30,6 +30,7 @@
openstack_helm_ingress_service_name: glance-api
openstack_helm_ingress_service_port: 9292
openstack_helm_ingress_annotations: "{{ _glance_ingress_annotations | combine(glance_ingress_annotations) }}"
+ openstack_helm_ingress_class_name: "{{ glance_ingress_class_name }}"
- name: Create images
ansible.builtin.include_role:
diff --git a/roles/heat/defaults/main.yml b/roles/heat/defaults/main.yml
index 3ea9ded..6a7173d 100644
--- a/roles/heat/defaults/main.yml
+++ b/roles/heat/defaults/main.yml
@@ -20,6 +20,10 @@
heat_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
heat_helm_values: {}
+# Class name to use for the Ingress
+heat_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
+# List of annotations to apply to the Ingress
heat_ingress_annotations: {}
# Encryption key for Heat to use for encrypting sensitive data
diff --git a/roles/heat/tasks/main.yml b/roles/heat/tasks/main.yml
index 96c301a..3a2790e 100644
--- a/roles/heat/tasks/main.yml
+++ b/roles/heat/tasks/main.yml
@@ -30,6 +30,7 @@
openstack_helm_ingress_service_name: heat-api
openstack_helm_ingress_service_port: 8004
openstack_helm_ingress_annotations: "{{ _heat_ingress_annotations | combine(heat_ingress_annotations, recursive=True) }}"
+ openstack_helm_ingress_class_name: "{{ heat_ingress_class_name }}"
- name: Create Ingress
ansible.builtin.include_role:
@@ -39,3 +40,4 @@
openstack_helm_ingress_service_name: heat-cfn
openstack_helm_ingress_service_port: 8000
openstack_helm_ingress_annotations: "{{ _heat_ingress_annotations | combine(heat_ingress_annotations, recursive=True) }}"
+ openstack_helm_ingress_class_name: "{{ heat_ingress_class_name }}"
diff --git a/roles/horizon/defaults/main.yml b/roles/horizon/defaults/main.yml
index 116a87a..441fe4d 100644
--- a/roles/horizon/defaults/main.yml
+++ b/roles/horizon/defaults/main.yml
@@ -20,5 +20,8 @@
horizon_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
horizon_helm_values: {}
+# Class name to use for the Ingress
+horizon_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
horizon_ingress_annotations: {}
diff --git a/roles/horizon/tasks/main.yml b/roles/horizon/tasks/main.yml
index 3cd1653..5c9e4e0 100644
--- a/roles/horizon/tasks/main.yml
+++ b/roles/horizon/tasks/main.yml
@@ -30,3 +30,4 @@
openstack_helm_ingress_service_name: horizon-int
openstack_helm_ingress_service_port: 80
openstack_helm_ingress_annotations: "{{ _horizon_ingress_annotations | combine(horizon_ingress_annotations) }}"
+ openstack_helm_ingress_class_name: "{{ horizon_ingress_class_name }}"
diff --git a/roles/horizon/vars/main.yml b/roles/horizon/vars/main.yml
index 3e4f541..e0499bb 100644
--- a/roles/horizon/vars/main.yml
+++ b/roles/horizon/vars/main.yml
@@ -17,6 +17,16 @@
images:
tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('horizon') }}"
pod:
+ security_context:
+ horizon:
+ pod:
+ fsGroup: 42424
+ db_sync:
+ pod:
+ fsGroup: 42424
+ tests:
+ pod:
+ fsGroup: 42424
replicas:
server: 3
conf:
@@ -24,6 +34,8 @@
local_settings:
config:
disallow_iframe_embed: "True"
+ allowed_hosts:
+ - "{{ openstack_helm_endpoints_horizon_api_host }}"
secure_proxy_ssl_header: "True"
horizon_images_upload_mode: direct
openstack_enable_password_retrieve: "True"
@@ -55,3 +67,5 @@
_horizon_ingress_annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "5000m"
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+ nginx.ingress.kubernetes.io/enable-cors: "true"
+ nginx.ingress.kubernetes.io/cors-allow-origin: "{{ openstack_helm_endpoints_horizon_api_host }}"
diff --git a/roles/ingress/defaults/main.yml b/roles/ingress/defaults/main.yml
index 05a2cc3..82ea1e0 100644
--- a/roles/ingress/defaults/main.yml
+++ b/roles/ingress/defaults/main.yml
@@ -38,3 +38,6 @@
# List of annotations to apply to all Ingress resources as default
ingress_default_annotations: "{{ ingress_global_annotations | default(atmosphere_ingress_annotations) }}"
+
+# Use default TLS certificate
+ingress_use_default_tls_certificate: false
diff --git a/roles/ingress/templates/ingress.yml.j2 b/roles/ingress/templates/ingress.yml.j2
index 04135bc..6da2788 100644
--- a/roles/ingress/templates/ingress.yml.j2
+++ b/roles/ingress/templates/ingress.yml.j2
@@ -21,7 +21,9 @@
name: {{ ingress_service_name }}
port:
number: {{ ingress_service_port }}
+{% if not ingress_use_default_tls_certificate %}
tls:
- secretName: {{ ingress_secret_name | default(ingress_service_name ~ '-certs') }}
hosts:
- {{ ingress_host }}
+{% endif %}
diff --git a/roles/ironic/defaults/main.yml b/roles/ironic/defaults/main.yml
index 4df68da..3b0ef6d 100644
--- a/roles/ironic/defaults/main.yml
+++ b/roles/ironic/defaults/main.yml
@@ -20,6 +20,9 @@
ironic_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
ironic_helm_values: {}
+# Class name to use for the Ingress
+ironic_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
ironic_ingress_annotations: {}
diff --git a/roles/ironic/tasks/main.yml b/roles/ironic/tasks/main.yml
index bd975f1..a70ef8b 100644
--- a/roles/ironic/tasks/main.yml
+++ b/roles/ironic/tasks/main.yml
@@ -94,3 +94,4 @@
openstack_helm_ingress_service_name: ironic-api
openstack_helm_ingress_service_port: 6385
openstack_helm_ingress_annotations: "{{ ironic_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ ironic_ingress_class_name }}"
diff --git a/roles/keystone/defaults/main.yml b/roles/keystone/defaults/main.yml
index f71c59f..67031c5 100644
--- a/roles/keystone/defaults/main.yml
+++ b/roles/keystone/defaults/main.yml
@@ -20,6 +20,9 @@
keystone_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
keystone_helm_values: {}
+# Class name to use for the Ingress
+keystone_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
keystone_ingress_annotations: {}
@@ -34,6 +37,16 @@
keystone_keycloak_admin_password: "{{ keycloak_admin_password }}"
keystone_keycloak_realm: atmosphere
keystone_keycloak_realm_name: Atmosphere
+# keystone_keycloak_realm_default_password_policy:
+# keystone_keycloak_realm_default_brute_force_protected:
+# keystone_keycloak_realm_default_brute_force_failure_factor:
+# keystone_keycloak_realm_default_brute_force_wait_increment_seconds:
+# keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds:
+# keystone_keycloak_realm_default_brute_force_max_delta_time_seconds:
+# keystone_keycloak_realm_default_minimum_quick_login_wait_seconds:
+# keystone_keycloak_realm_default_quick_login_check_milli_seconds:
+# keystone_keycloak_realm_default_totp_default_action:
+
keystone_keycloak_client_id: keystone
# keystone_keycloak_client_secret:
keystone_keycloak_scopes: "openid email profile"
diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml
index a35a9ce..b6d0a8e 100644
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml
@@ -29,6 +29,36 @@
realm: "{{ item.keycloak_realm }}"
display_name: "{{ item.label }}"
enabled: true
+ password_policy: "{{ item.keycloak_password_policy | default(keystone_keycloak_realm_default_password_policy | default(omit)) }}"
+ brute_force_protected: "{{ item.keycloak_brute_force_protected | default(keystone_keycloak_realm_default_brute_force_protected | default(omit)) }}"
+ failure_factor: "{{ item.keycloak_brute_force_failure_factor | default(keystone_keycloak_realm_default_brute_force_failure_factor | default(omit)) }}"
+ wait_increment_seconds: "{{ item.keycloak_brute_force_wait_increment_seconds | default(keystone_keycloak_realm_default_brute_force_wait_increment_seconds | default(omit)) }}"
+ max_failure_wait_seconds: "{{ item.keycloak_brute_force_max_failure_wait_seconds | default(keystone_keycloak_realm_default_brute_force_max_failure_wait_seconds | default(omit)) }}"
+ max_delta_time_seconds: "{{ item.keycloak_brute_force_max_delta_time_seconds | default(keystone_keycloak_realm_default_brute_force_max_delta_time_seconds | default(omit)) }}"
+ minimum_quick_login_wait_seconds: "{{ item.keycloak_minimum_quick_login_wait_seconds | default(keystone_keycloak_realm_default_minimum_quick_login_wait_seconds | default(omit)) }}"
+ quick_login_check_milli_seconds: "{{ item.keycloak_quick_login_check_milli_seconds | default(keystone_keycloak_realm_default_quick_login_check_milli_seconds | default(omit)) }}"
+ loop: "{{ keystone_domains }}"
+ loop_control:
+ label: "{{ item.name }}"
+
+- name: Setup Keycloak Authentication Required Actions (MFA)
+ community.general.keycloak_authentication_required_actions:
+ # Keycloak settings
+ auth_keycloak_url: "{{ item.keycloak_server_url }}"
+ auth_realm: "{{ item.keycloak_user_realm_name }}"
+ auth_client_id: "{{ item.keycloak_admin_client_id }}"
+ auth_username: "{{ item.keycloak_admin_user }}"
+ auth_password: "{{ item.keycloak_admin_password }}"
+ validate_certs: "{{ cluster_issuer_type != 'self-signed' }}"
+ # Realm settings
+ realm: "{{ item.name }}"
+ required_actions:
+ - alias: "CONFIGURE_TOTP"
+ name: "Configure OTP"
+ providerId: "CONFIGURE_TOTP"
+ defaultAction: "{{ item.keycloak_totp_default_action | default(keystone_keycloak_realm_default_totp_default_action | default(omit)) }}"
+ enabled: true
+ state: present
loop: "{{ keystone_domains }}"
loop_control:
label: "{{ item.name }}"
@@ -78,6 +108,7 @@
openstack_helm_ingress_service_name: keystone-api
openstack_helm_ingress_service_port: 5000
openstack_helm_ingress_annotations: "{{ keystone_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ keystone_ingress_class_name }}"
- name: Validate if ingress is reachable
ansible.builtin.uri:
diff --git a/roles/magnum/defaults/main.yml b/roles/magnum/defaults/main.yml
index 740fbb0..84355f7 100644
--- a/roles/magnum/defaults/main.yml
+++ b/roles/magnum/defaults/main.yml
@@ -20,6 +20,10 @@
magnum_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
magnum_helm_values: {}
+# Class name to use for the Ingress
+magnum_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+magnum_registry_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
magnum_ingress_annotations: {}
magnum_registry_ingress_annotations: {}
diff --git a/roles/magnum/tasks/main.yml b/roles/magnum/tasks/main.yml
index fc9b7a0..4805cbc 100644
--- a/roles/magnum/tasks/main.yml
+++ b/roles/magnum/tasks/main.yml
@@ -128,6 +128,7 @@
openstack_helm_ingress_service_name: magnum-api
openstack_helm_ingress_service_port: 9511
openstack_helm_ingress_annotations: "{{ magnum_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ magnum_ingress_class_name }}"
- name: Deploy magnum registry
run_once: true
@@ -204,6 +205,7 @@
openstack_helm_ingress_service_name: magnum-registry
openstack_helm_ingress_service_port: 5000
openstack_helm_ingress_annotations: "{{ _magnum_registry_ingress_annotations | combine(magnum_registry_ingress_annotations) }}"
+ openstack_helm_ingress_class_name: "{{ magnum_registry_ingress_class_name }}"
- name: Upload images
ansible.builtin.include_role:
diff --git a/roles/manila/defaults/main.yml b/roles/manila/defaults/main.yml
index f5b791f..ce4b014 100644
--- a/roles/manila/defaults/main.yml
+++ b/roles/manila/defaults/main.yml
@@ -20,6 +20,9 @@
manila_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
manila_helm_values: {}
+# Class name to use for the Ingress
+manila_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
manila_ingress_annotations: {}
diff --git a/roles/manila/tasks/main.yml b/roles/manila/tasks/main.yml
index 8ae97e8..540ce34 100644
--- a/roles/manila/tasks/main.yml
+++ b/roles/manila/tasks/main.yml
@@ -38,6 +38,7 @@
openstack_helm_ingress_service_name: manila-api
openstack_helm_ingress_service_port: 8786
openstack_helm_ingress_annotations: "{{ manila_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ manila_ingress_class_name }}"
- name: Update service tenant quotas
openstack.cloud.quota:
diff --git a/roles/neutron/defaults/main.yml b/roles/neutron/defaults/main.yml
index 04d48ac..b8579eb 100644
--- a/roles/neutron/defaults/main.yml
+++ b/roles/neutron/defaults/main.yml
@@ -23,6 +23,9 @@
# List of networks to provision inside OpenStack
neutron_networks: []
+# Class name to use for the Ingress
+neutron_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
neutron_ingress_annotations: {}
diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index 874ed3c..7271f4f 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -49,6 +49,7 @@
openstack_helm_ingress_service_name: neutron-server
openstack_helm_ingress_service_port: 9696
openstack_helm_ingress_annotations: "{{ neutron_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ neutron_ingress_class_name }}"
- name: Create networks
when: neutron_networks | length > 0
diff --git a/roles/nova/defaults/main.yml b/roles/nova/defaults/main.yml
index e02faac..a951a5f 100644
--- a/roles/nova/defaults/main.yml
+++ b/roles/nova/defaults/main.yml
@@ -26,6 +26,10 @@
# List of flavors to provision inside Nova
nova_flavors: []
+# Class name to use for the Ingress
+nova_api_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+nova_novnc_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
nova_api_ingress_annotations: {}
nova_novnc_ingress_annotations: {}
diff --git a/roles/nova/tasks/main.yml b/roles/nova/tasks/main.yml
index ed10aa5..a86aa0c 100644
--- a/roles/nova/tasks/main.yml
+++ b/roles/nova/tasks/main.yml
@@ -49,6 +49,7 @@
openstack_helm_ingress_service_name: nova-api
openstack_helm_ingress_service_port: 8774
openstack_helm_ingress_annotations: "{{ nova_api_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ nova_api_ingress_class_name }}"
- name: Create Ingress
ansible.builtin.include_role:
@@ -58,6 +59,7 @@
openstack_helm_ingress_service_name: nova-novncproxy
openstack_helm_ingress_service_port: 6080
openstack_helm_ingress_annotations: "{{ _nova_novnc_ingress_annotations | combine(nova_novnc_ingress_annotations) }}"
+ openstack_helm_ingress_class_name: "{{ nova_novnc_ingress_class_name }}"
- name: Create flavors
when: nova_flavors | length > 0
diff --git a/roles/octavia/defaults/main.yml b/roles/octavia/defaults/main.yml
index 19b31f8..3f6427b 100644
--- a/roles/octavia/defaults/main.yml
+++ b/roles/octavia/defaults/main.yml
@@ -20,6 +20,9 @@
octavia_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
octavia_helm_values: {}
+# Class name to use for the Ingress
+octavia_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
octavia_ingress_annotations: {}
diff --git a/roles/octavia/tasks/main.yml b/roles/octavia/tasks/main.yml
index b2c94fd..4432856 100644
--- a/roles/octavia/tasks/main.yml
+++ b/roles/octavia/tasks/main.yml
@@ -138,3 +138,4 @@
openstack_helm_ingress_service_name: octavia-api
openstack_helm_ingress_service_port: 9876
openstack_helm_ingress_annotations: "{{ octavia_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ octavia_ingress_class_name }}"
diff --git a/roles/openstack_helm_ingress/defaults/main.yml b/roles/openstack_helm_ingress/defaults/main.yml
index f3c0133..3e530ab 100644
--- a/roles/openstack_helm_ingress/defaults/main.yml
+++ b/roles/openstack_helm_ingress/defaults/main.yml
@@ -21,3 +21,6 @@
# this is useful when you want to use a single certificate for all services and
# use DNS-01 challenge to issue the certificate.
# openstack_helm_ingress_wildcard_domain: cloud.atmosphere.dev
+
+# Ingress class to use for the Ingress
+openstack_helm_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
diff --git a/roles/openstack_helm_ingress/tasks/main.yml b/roles/openstack_helm_ingress/tasks/main.yml
index bf1d770..ee9e0f7 100644
--- a/roles/openstack_helm_ingress/tasks/main.yml
+++ b/roles/openstack_helm_ingress/tasks/main.yml
@@ -56,3 +56,4 @@
ingress_service_name: "{{ openstack_helm_ingress_service_name }}"
ingress_service_port: "{{ openstack_helm_ingress_service_port }}"
ingress_secret_name: "{{ openstack_helm_ingress_secret_name | default(openstack_helm_ingress_service_name ~ '-certs') }}"
+ ingress_class_name: "{{ openstack_helm_ingress_class_name }}"
diff --git a/roles/placement/defaults/main.yml b/roles/placement/defaults/main.yml
index bc72b55..e29baa5 100644
--- a/roles/placement/defaults/main.yml
+++ b/roles/placement/defaults/main.yml
@@ -20,5 +20,8 @@
placement_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
placement_helm_values: {}
+# Class name to use for the Ingress
+placement_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
placement_ingress_annotations: {}
diff --git a/roles/placement/tasks/main.yml b/roles/placement/tasks/main.yml
index cebee35..cb33025 100644
--- a/roles/placement/tasks/main.yml
+++ b/roles/placement/tasks/main.yml
@@ -30,3 +30,4 @@
openstack_helm_ingress_service_name: placement-api
openstack_helm_ingress_service_port: 8778
openstack_helm_ingress_annotations: "{{ placement_ingress_annotations }}"
+ openstack_helm_ingress_class_name: "{{ placement_ingress_class_name }}"
diff --git a/roles/rook_ceph_cluster/defaults/main.yml b/roles/rook_ceph_cluster/defaults/main.yml
index 4c2545b..d5b1c2d 100644
--- a/roles/rook_ceph_cluster/defaults/main.yml
+++ b/roles/rook_ceph_cluster/defaults/main.yml
@@ -22,6 +22,9 @@
rook_ceph_cluster_helm_kubeconfig: "{{ kubeconfig_path | default('/etc/kubernetes/admin.conf') }}"
rook_ceph_cluster_helm_values: {}
+# Class name to use for the Ingress
+rook_ceph_cluster_ingress_class_name: "{{ atmosphere_ingress_class_name }}"
+
# List of annotations to apply to the Ingress
rook_ceph_cluster_radosgw_annotations: {}
diff --git a/roles/rook_ceph_cluster/tasks/main.yml b/roles/rook_ceph_cluster/tasks/main.yml
index 92f3842..b42b3a1 100644
--- a/roles/rook_ceph_cluster/tasks/main.yml
+++ b/roles/rook_ceph_cluster/tasks/main.yml
@@ -132,3 +132,4 @@
openstack_helm_ingress_service_name: rook-ceph-rgw-{{ rook_ceph_cluster_name }}
openstack_helm_ingress_service_port: 80
openstack_helm_ingress_annotations: "{{ _rook_ceph_cluster_radosgw_annotations | combine(rook_ceph_cluster_radosgw_annotations, recursive=True) }}"
+ openstack_helm_ingress_class_name: "{{ rook_ceph_cluster_ingress_class_name }}"
diff --git a/roles/tempest/vars/main.yml b/roles/tempest/vars/main.yml
index ea508f9..5c92ad6 100644
--- a/roles/tempest/vars/main.yml
+++ b/roles/tempest/vars/main.yml
@@ -33,7 +33,8 @@
endpoint_type: internal
fixed_network_name: public
dashboard:
- dashboard_url: "http://horizon-int.openstack.svc.cluster.local"
+ dashboard_url: "https://{{ openstack_helm_endpoints_horizon_api_host }}"
+ disable_ssl_certificate_validation: "{{ cluster_issuer_type == 'self-signed' }}"
identity:
v3_endpoint_type: internal
image: