From 28d822c562d18712e21cb8e3278624cae679575d Mon Sep 17 00:00:00 2001 From: Luke Repko Date: Fri, 2 Aug 2024 12:54:24 -0500 Subject: [PATCH 1/4] fix: add missing top-level key for pods Co-authored-by: aedan --- base-helm-configs/cinder/cinder-helm-overrides.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/base-helm-configs/cinder/cinder-helm-overrides.yaml b/base-helm-configs/cinder/cinder-helm-overrides.yaml index 312a87a1..ae403ddf 100644 --- a/base-helm-configs/cinder/cinder-helm-overrides.yaml +++ b/base-helm-configs/cinder/cinder-helm-overrides.yaml @@ -57,6 +57,8 @@ jobs: history: success: 3 failed: 1 + +pod: security_context: volume_usage_audit: pod: From 3847c1ceacc1971b60f51dfb1cb48e608ea998f4 Mon Sep 17 00:00:00 2001 From: Luke Repko Date: Fri, 2 Aug 2024 13:19:48 -0500 Subject: [PATCH 2/4] fix: use keystone endpoint instead of pw Also allow overriding default RegionOne with specified region. Co-authored-by: aedan --- bin/create-secrets.sh | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/bin/create-secrets.sh b/bin/create-secrets.sh index c6e118df..72c3bee4 100755 --- a/bin/create-secrets.sh +++ b/bin/create-secrets.sh @@ -1,6 +1,37 @@ #!/bin/bash # shellcheck disable=SC2086 +usage() { + echo "Usage: $0 [--region default: RegionOne]" + exit 1 +} + +region="RegionOne" + +while [[ "$#" -gt 0 ]]; do + case $1 in + --help) + usage + ;; + -h) + usage + ;; + --region) + region="$2" + shift 2 + ;; + *) + echo "Unknown parameter passed: $1" + usage + ;; + esac +done + +# Check if the region argument is provided +if [ -z "$region" ]; then + usage +fi + generate_password() { < /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32} } @@ -354,9 +385,9 @@ data: db-username: $(echo -n "skyline" | base64) db-password: $(echo -n $skyline_db_password | base64 -w0) secret-key: $(echo -n $skyline_secret_key_password | base64 -w0) - keystone-endpoint: $(echo -n $keystone_admin_password | base64 -w0) # Using the generated keystone-keystone-admin password + keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0) keystone-username: $(echo -n "skyline" | base64) - default-region: $(echo -n "RegionOne" | base64) + default-region: $(echo -n "$region" | base64) prometheus_basic_auth_password: $(echo -n "" | base64) prometheus_basic_auth_user: $(echo -n "" | base64) prometheus_enable_basic_auth: $(echo -n "false" | base64) From 35d522b781655a6d659cfc2fb82e691e8dfb74da Mon Sep 17 00:00:00 2001 From: Luke Repko Date: Fri, 2 Aug 2024 14:00:34 -0500 Subject: [PATCH 3/4] fix: remove redirect loop Co-authored-by: Jorge Perez --- etc/gateway-api/gateway-routes.yaml | 113 +++++----------------------- 1 file changed, 20 insertions(+), 93 deletions(-) diff --git a/etc/gateway-api/gateway-routes.yaml b/etc/gateway-api/gateway-routes.yaml index 67ff02ac..8a30842d 100644 --- a/etc/gateway-api/gateway-routes.yaml +++ b/etc/gateway-api/gateway-routes.yaml @@ -2,24 +2,39 @@ apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: custom-barbican-gateway-route + name: http2https-route namespace: openstack + labels: + application: gateway-api + service: HTTPRoute + route: http2https spec: parentRefs: - - name: flex-gateway - sectionName: barbican-https - namespace: nginx-gateway - name: flex-gateway sectionName: http-wildcard-listener namespace: nginx-gateway hostnames: - - "barbican.your.domain.tld" + - "*.your.domain.tld" rules: - filters: - type: RequestRedirect requestRedirect: scheme: https statusCode: 301 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: custom-barbican-gateway-route + namespace: openstack +spec: + parentRefs: + - name: flex-gateway + sectionName: barbican-https + namespace: nginx-gateway + hostnames: + - "barbican.your.domain.tld" + rules: - backendRefs: - name: barbican-api port: 9311 @@ -38,17 +53,9 @@ spec: - name: flex-gateway sectionName: cinder-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "cinder.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: cinder-api port: 8776 @@ -67,17 +74,9 @@ spec: - name: flex-gateway sectionName: glance-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "glance.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: glance-api port: 9292 @@ -96,17 +95,9 @@ spec: - name: flex-gateway sectionName: cloudformation-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "cloudformation.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: heat-cfn port: 8000 @@ -125,17 +116,9 @@ spec: - name: flex-gateway sectionName: heat-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "heat.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: heat-api port: 8004 @@ -150,17 +133,9 @@ spec: - name: flex-gateway sectionName: keystone-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "keystone.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: keystone-api port: 5000 @@ -179,17 +154,9 @@ spec: - name: flex-gateway sectionName: neutron-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "neutron.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: neutron-server port: 9696 @@ -237,17 +204,9 @@ spec: - name: flex-gateway sectionName: placement-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "placement.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: placement-api port: 8778 @@ -266,17 +225,9 @@ spec: - name: flex-gateway sectionName: metadata-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "metadata.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: nova-metadata port: 8775 @@ -295,17 +246,9 @@ spec: - name: flex-gateway sectionName: nova-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "nova.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: nova-api port: 8774 @@ -324,17 +267,9 @@ spec: - name: flex-gateway sectionName: novnc-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "novnc.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: nova-novncproxy port: 6080 @@ -353,17 +288,9 @@ spec: - name: flex-gateway sectionName: skyline-https namespace: nginx-gateway - - name: flex-gateway - sectionName: http-wildcard-listener - namespace: nginx-gateway hostnames: - "skyline.your.domain.tld" rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 - backendRefs: - name: skyline-apiserver port: 9999 From 192f05b2750c293d5eaec801748683a1033cf970 Mon Sep 17 00:00:00 2001 From: Luke Repko Date: Fri, 2 Aug 2024 14:15:45 -0500 Subject: [PATCH 4/4] docs: cite region param for create secrets script --- docs/infrastructure-namespace.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure-namespace.md b/docs/infrastructure-namespace.md index 5918d8dc..7902d767 100644 --- a/docs/infrastructure-namespace.md +++ b/docs/infrastructure-namespace.md @@ -9,7 +9,8 @@ kubectl apply -k /opt/genestack/base-kustomize/openstack Then you can create all needed secrets by running the create-secrets.sh command located in /opt/genestack/bin ``` shell -/opt/genestack/bin/create-secrets.sh +/opt/genestack/bin/create-secrets.sh -h +Usage: ./create-secrets.sh [--region default: RegionOne] ``` That will create a kubesecrets.yaml file located in /etc/genestack