From b356cbe21f787af75531bf85a5d7f58abe709cf9 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Wed, 11 May 2022 10:40:04 +0300
Subject: [PATCH] Support TLS endpoints in nova metadata-api
This allows nova metadata-api to consume TLS openstack endpoints,
typically identity endpoints.
Same idea with
https://review.opendev.org/c/openstack/openstack-helm/+/820212
Change-Id: I80e580badc96908f382fe8c6ddb2fae7caa957ed
---
nova/Chart.yaml | 2 +-
nova/templates/deployment-api-metadata.yaml | 9 +++++++--
releasenotes/notes/nova.yaml | 1 +
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/nova/Chart.yaml b/nova/Chart.yaml
index 5652456e1c..58049ae87d 100644
--- a/nova/Chart.yaml
+++ b/nova/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Nova
name: nova
-version: 0.2.44
+version: 0.2.45
home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources:
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
index 44d3a492d7..9170d69b42 100644
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -91,6 +91,11 @@ spec:
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/nova/certs/ca.crt"
+{{- end }}
command:
- /tmp/nova-api-metadata.sh
- start
@@ -182,7 +187,7 @@ spec:
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -202,6 +207,6 @@ spec:
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml
index dda928fd9f..027612cb7e 100644
--- a/releasenotes/notes/nova.yaml
+++ b/releasenotes/notes/nova.yaml
@@ -65,4 +65,5 @@ nova:
- 0.2.42 Add missing configuration ``[vnc]/novncproxy_host``
- 0.2.43 Added OCI registry authentication
- 0.2.44 Distinguish between port number of internal endpoint and binding port number
+ - 0.2.45 Support TLS endpoints for metadata-api
...