Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / nova / templates / job-cell-setup.yaml
blob: 1ba49cb4b5a78f499a2b746f9d40498b08fb215e [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1{{/*
2Licensed under the Apache License, Version 2.0 (the "License");
3you may not use this file except in compliance with the License.
4You may obtain a copy of the License at
5
6 http://www.apache.org/licenses/LICENSE-2.0
7
8Unless required by applicable law or agreed to in writing, software
9distributed under the License is distributed on an "AS IS" BASIS,
10WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11See the License for the specific language governing permissions and
12limitations under the License.
13*/}}
14
15{{- if .Values.manifests.job_cell_setup }}
16{{- $envAll := . }}
17
18{{- $serviceAccountName := "nova-cell-setup" }}
19{{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
20---
21apiVersion: batch/v1
22kind: Job
23metadata:
24 name: nova-cell-setup
25 labels:
26{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
27 annotations:
28 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
29spec:
30 template:
31 metadata:
32 labels:
33{{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
34 annotations:
35{{ dict "envAll" $envAll "podName" "nova-cell-setup" "containerNames" (list "nova-cell-setup-init" "nova-cell-setup" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
36 spec:
37 serviceAccountName: {{ $serviceAccountName }}
38 restartPolicy: OnFailure
39 nodeSelector:
40 {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]41{{ if $envAll.Values.pod.tolerations.nova.enabled }}
42{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
43{{ end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]44 initContainers:
45{{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
46{{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
47 - name: nova-wait-for-computes-init
48{{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
49{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
50 command:
51 - /bin/bash
52 - -c
53 - /tmp/wait-for-computes-init.sh
54 volumeMounts:
55 - name: pod-tmp
56 mountPath: /tmp
57 - name: nova-bin
58 mountPath: /tmp/wait-for-computes-init.sh
59 subPath: wait-for-computes-init.sh
60 readOnly: true
61{{- end }}
62 - name: nova-cell-setup-init
63{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
64{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
65{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
66 env:
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]67{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]68{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
69{{- end }}
70 command:
71 - /tmp/cell-setup-init.sh
72 volumeMounts:
73 - name: pod-tmp
74 mountPath: /tmp
75 - name: nova-bin
76 mountPath: /tmp/cell-setup-init.sh
77 subPath: cell-setup-init.sh
78 readOnly: true
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]79{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]80 containers:
81 - name: nova-cell-setup
82{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
83{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
84{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]85{{- if or .Values.manifests.certificates .Values.tls.identity }}
86 env:
87 - name: REQUESTS_CA_BUNDLE
88 value: "/etc/nova/certs/ca.crt"
89{{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]90 command:
91 - /tmp/cell-setup.sh
92 volumeMounts:
93 - name: pod-tmp
94 mountPath: /tmp
95 - name: nova-bin
96 mountPath: /tmp/cell-setup.sh
97 subPath: cell-setup.sh
98 readOnly: true
99 - name: etcnova
100 mountPath: /etc/nova
101 - name: nova-etc
102 mountPath: /etc/nova/nova.conf
103 subPath: nova.conf
104 readOnly: true
105 {{- if .Values.conf.nova.DEFAULT.log_config_append }}
106 - name: nova-etc
107 mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
108 subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append }}
109 readOnly: true
110 {{- end }}
111 - name: nova-etc
112 mountPath: /etc/nova/policy.yaml
113 subPath: policy.yaml
114 readOnly: true
115{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]116{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]117 volumes:
118 - name: pod-tmp
119 emptyDir: {}
120 - name: etcnova
121 emptyDir: {}
122 - name: nova-etc
123 secret:
124 secretName: nova-etc
125 defaultMode: 0444
126 - name: nova-bin
127 configMap:
128 name: nova-bin
129 defaultMode: 0555
130{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]131{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]132---
133kind: ClusterRole
134apiVersion: rbac.authorization.k8s.io/v1
135metadata:
136 name: {{ $serviceAccountName }}
137rules:
138 - apiGroups:
139 - ''
140 resources:
141 - nodes
142 verbs:
143 - get
144 - list
145---
146apiVersion: rbac.authorization.k8s.io/v1
147kind: ClusterRoleBinding
148metadata:
149 name: {{ $serviceAccountName }}
150subjects:
151 - kind: ServiceAccount
152 name: {{ $serviceAccountName }}
153 namespace: {{ $envAll.Release.Namespace }}
154roleRef:
155 kind: ClusterRole
156 name: {{ $serviceAccountName }}
157 apiGroup: rbac.authorization.k8s.io
158{{- end }}