kolla

api/go.mod

@@ -69,4 +69,4 @@ require (
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f

api/go.sum

@@ -62,8 +62,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236 h1:Fo59uOmrnWdVX9WanZofoB2YnmlxDP2wbm7jHGgBIOA=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236/go.mod h1:YgWd1xXF9VgsfPIwkCv3Q0j2akpnojs9zgso87tvCXY=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f h1:1DOq6SRvQLbPRrwtoZuA3UyQPMLNYqM2VyNX6JYKgmo=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
 github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=

go.mod

@@ -89,4 +89,4 @@ replace github.com/openstack-k8s-operators/nova-operator/api => ./api
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f

go.sum

@@ -63,8 +63,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236 h1:Fo59uOmrnWdVX9WanZofoB2YnmlxDP2wbm7jHGgBIOA=
-github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236/go.mod h1:YgWd1xXF9VgsfPIwkCv3Q0j2akpnojs9zgso87tvCXY=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f h1:1DOq6SRvQLbPRrwtoZuA3UyQPMLNYqM2VyNX6JYKgmo=
+github.com/deydra71/lib-common/modules/common v0.0.0-20240108150456-e7962ed7031f/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
 github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=

pkg/nova/cellmapping.go

@@ -68,11 +68,6 @@ func CellMappingJob(
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.RbacResourceName(),
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: "nova-manage",

pkg/nova/host_discover.go

@@ -80,11 +80,6 @@ func HostDiscoveryJob(
 					RestartPolicy:      corev1.RestartPolicyOnFailure,
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: "nova-manage",

pkg/novaapi/deployment.go

@@ -164,11 +164,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						// the first container in a pod is the default selected
 						// by oc log so define the log stream container first.

pkg/novametadata/deployment.go

@@ -152,11 +152,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						// the first container in a pod is the default selected
 						// by oc log so define the log stream container first.

pkg/novncproxy/deployment.go

@@ -153,11 +153,6 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as NovaUserID, e.g. certs need to be
-						// readable by the user, instead of root
-						FSGroup: ptr.To(nova.NovaUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: instance.Name + "-novncproxy",

templates/novaapi/config/nova-api-config.json

@@ -31,6 +31,22 @@
             "dest": "/etc/httpd/conf.d/ssl.conf",
             "owner": "root",
             "perm": "0644"
+        },
+        {
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
+            "owner": "root",
+            "perm": "0640",
+            "optional": true,
+            "merge": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
+            "owner": "root",
+            "perm": "0600",
+            "optional": true,
+            "merge": true
         }
     ],
     "permissions": [

templates/novametadata/config/nova-metadata-config.json

@@ -31,6 +31,22 @@
       "dest": "/etc/httpd/conf.d/ssl.conf",
       "owner": "root",
       "perm": "0644"
+    },
+    {
+      "source": "/var/lib/config-data/tls/certs/*",
+      "dest": "/etc/pki/tls/certs/",
+      "owner": "root",
+      "perm": "0640",
+      "optional": true,
+      "merge": true
+    },
+    {
+      "source": "/var/lib/config-data/tls/private/*",
+      "dest": "/etc/pki/tls/private/",
+      "owner": "root",
+      "perm": "0600",
+      "optional": true,
+      "merge": true
     }
   ],
   "permissions": [

templates/novanovncproxy/config/nova-novncproxy-config.json

@@ -19,6 +19,22 @@
             "owner": "nova",
             "perm": "0600",
             "optional": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
+            "owner": "root",
+            "perm": "0640",
+            "optional": true,
+            "merge": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
+            "owner": "root",
+            "perm": "0600",
+            "optional": true,
+            "merge": true
         }
     ]
 }