Add Helm charts for dcorch, dcdbsync and dcagent

This review adds the Helm charts for dcagent, dcdbsync, and dcorch —
including components like dcorch-api, dcorch-engine,
dcorch-engine-worker, and the various dcorch-* proxies.

At this stage, subcloud synchronization via dcorch is functional.

The job-ks-user templates create the OpenStack users for dcagent,
dcorch, and dcdbsync. The job-ks-service templates register the
dcagent, dcorch-dcdbsync, and dcdbsync OpenStack services.

The job-ks-endpoints templates create the OpenStack endpoints for
each API: dcagent, dcdbsync, identity-proxy, sysinv-proxy,
usm-proxy, and patching-proxy.

For dcdbsync, the approach is slightly different, as it must run on
both the SystemController and the subcloud. To support this,
nodeAffinity was added to all dcdbsync jobs and to the
dcdbsync-api pod, using the starlingx.io/distributed-cloud and
starlingx.io/subcloud labels.

For dcagent and dcdbsync in the subcloud, incoming traffic from the
SystemController is routed through HAProxy admin ports — 8220 for
dcdbsync and 8326 for dcagent. HAProxy then forwards the traffic to
controller.internal:8219 for dcdbsync and controller.internal:8325
for dcagent.

To support this behavior, two new deployments were added:
dcdbsync-nginx-proxy.yaml and dcagent-nginx-proxy.yaml. These run
NGINX containers that listen on 0.0.0.0:8219 and 0.0.0.0:8325
respectively, and forward traffic to the internal dcdbsync-api and
dcagent-api services.

Test Plan:
  PASS: During a subcloud add command, verify that dcorch receives
        notifications from dcmanager-state, and that the subcloud
        is correctly added to the database.
  PASS: Initial sync process completes successfully.
  PASS: Both dcagent and dcdbsync in the subcloud is reached correctly
        from Systemcontroller.
  PASS: Identity and platform resource propagation works correctly.
        Verify dcorch audit, dcorch sync, dcdbsync and dcagent
        behavior.
  PASS: Resource propagation through the proxy works as expected.
        Verify keystone and platform api-proxies functionality.
  PASS: Run a software upload command with --os-region-name
        SystemController and verify that it works correctly and that
        the content is added to dc-vault.

Story: 2011312
Task: 51859

Change-Id: I431d9ab83ab17bbf5ea712e4bb5c65a427c85d78
Co-Authored-By: Yuxing Jiang <yuxing.jiang@windriver.com>
Signed-off-by: Enzo Candotti <Enzo.Candotti@windriver.com>

README.md

@@ -26,11 +26,12 @@ sudo sm-unmanage service dcorch-patch-api-proxy
 sudo sm-unmanage service dcorch-identity-api-proxy
 
 sudo sm-unmanage service dcdbsync-api
-
+sudo sm-unmanage service dcagent-api
 
 sudo pkill -f ^".*/bin/dcmanager.*"
 sudo pkill -f ^".*/bin/dcorch.*"
 sudo pkill -f ^".*/bin/dcdbsync.*"
+sudo pkill -f ^".*/bin/dcagent.*"
 ```
 
 ## Platform Setup
@@ -50,11 +51,21 @@ system host-label-assign controller-1 starlingx.io/distributed-cloud=enabled
 
 kubectl create namespace distributed-cloud
 
-# Create system-local-ca secret
+# Create default-registry-key secret | if using registry.local:9001
+
+kubectl create secret docker-registry default-registry-key \
+  --docker-server=registry.local:9001 \
+  --docker-username=admin \
+  --docker-password=${OS_PASSWORD} \
+  --namespace=distributed-cloud
+
+# Create ca-cert secret to allow SSL
+
+sudo cp /etc/ssl/certs/ca-certificates.crt /home/sysadmin
+sudo chown sysadmin:sys_protected /home/sysadmin/ca-certificates.crt
+kubectl -n distributed-cloud create secret generic root-ca   --from-file=ca.crt=/home/sysadmin/ca-certificates.crt
 
-cp /etc/ssl/certs/dc-adminep-root-ca.pem /home/sysadmin/root-ca.pem
 
-kubectl -n distributed-cloud create secret generic root-ca --from-file=ca.crt=/home/sysadmin/root-ca.pem
 ```
 
 ## Distributed Cloud Application Deployment (development)
@@ -82,6 +93,9 @@ DCMANAGER_DB_PASSWORD=$(keyring get dcmanager database)
 DCMANAGER_KS_PASSWORD=$(keyring get dcmanager services)
 DCORCH_DB_PASSWORD=$(keyring get dcorch database)
 DCORCH_KS_PASSWORD=$(keyring get dcorch services)
+DCDBSYNC_KS_PASSWORD=$(keyring get dcdbsync services)
+KEYSTONE_DB_PASSWORD=$(keyring get keystone database)
+DCAGENT_KS_PASSWORD=$(keyring get dcagent services)
 
 # Create dcmanager and dcorch overrides
 cat<<EOF>dcmanager.yaml
@@ -191,7 +205,7 @@ endpoints:
       admin:
         username: admin
         password: ${ADMIN_KS_PASSWORD}
-        region_name: RegionOne
+        region_name: ${OS_REGION_NAME}
         project_name: admin
         user_domain_name: Default
         project_domain_name: Default
@@ -199,7 +213,7 @@ endpoints:
         role: admin
         username: dcmanager
         password: ${DCMANAGER_KS_PASSWORD}
-        region_name: RegionOne
+        region_name: ${OS_REGION_NAME}
         project_name: services
         user_domain_name: Default
         project_domain_name: Default
@@ -240,7 +254,6 @@ images:
     ks_user: ${DOCKER_IMAGE}
     ks_service: ${DOCKER_IMAGE}
     ks_endpoints: ${DOCKER_IMAGE}
-    dcorch_db_sync: ${DOCKER_IMAGE}
     db_init: ${DOCKER_IMAGE}
     db_drop: ${DOCKER_IMAGE}
   pullPolicy: Always
@@ -280,12 +293,10 @@ dependencies:
       jobs:
         - dcorch-ks-user
         - dcorch-ks-service
-        - dcorch-ks-endpoints
     ks_endpoints:
       jobs:
         - dcorch-ks-user
         - dcorch-ks-service
-
 endpoints:
   cluster_domain_suffix: cluster.local
   oslo_db:
@@ -333,7 +344,7 @@ endpoints:
       admin:
         username: admin
         password: ${ADMIN_KS_PASSWORD}
-        region_name: RegionOne
+        region_name: ${OS_REGION_NAME}
         project_name: admin
         user_domain_name: Default
         project_domain_name: Default
@@ -341,7 +352,7 @@ endpoints:
         role: admin
         username: dcorch
         password: ${DCORCH_KS_PASSWORD}
-        region_name: RegionOne
+        region_name: ${OS_REGION_NAME}
         project_name: services
         user_domain_name: Default
         project_domain_name: Default
@@ -374,18 +385,182 @@ endpoints:
         default: 8118
         public: 80
 EOF
+
+cat<<EOF>dcdbsync.yaml
+images:
+  tags:
+    dcdbsync: ${DOCKER_IMAGE}
+    ks_user: ${DOCKER_IMAGE}
+    ks_service: ${DOCKER_IMAGE}
+    ks_endpoints: ${DOCKER_IMAGE}
+conf:
+  dcdbsync:
+    keystone_authtoken:
+      region_name: ${OS_REGION_NAME}
+      password: ${DCDBSYNC_KS_PASSWORD}
+    endpoint_cache:
+      region_name: ${OS_REGION_NAME}
+      password: ${DCDBSYNC_KS_PASSWORD}
+endpoints:
+  cluster_domain_suffix: cluster.local
+  sql_alchemy:
+    auth:
+      keystone:
+        password: ${KEYSTONE_DB_PASSWORD}
+  identity:
+    name: keystone
+    auth:
+      admin:
+        username: admin
+        password: ${ADMIN_KS_PASSWORD}
+        region_name: ${OS_REGION_NAME}
+        project_name: admin
+        user_domain_name: Default
+        project_domain_name: Default
+      dcdbsync:
+        role: admin
+        username: dcdbsync
+        password: ${DCDBSYNC_KS_PASSWORD}
+        region_name: ${OS_REGION_NAME}
+        project_name: services
+        user_domain_name: Default
+        project_domain_name: Default
+    hosts:
+      default: keystone-api
+      public: keystone
+    host_fqdn_override:
+      default: controller.internal
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+EOF
+
+
+cat<<EOF>dcagent.yaml
+images:
+  tags:
+    dcagent: ${DOCKER_IMAGE}
+    ks_user: ${DOCKER_IMAGE}
+    ks_service: ${DOCKER_IMAGE}
+    ks_endpoints: ${DOCKER_IMAGE}
+  pullPolicy: Always
+pod:
+  image_pull_secrets:
+    default:
+      - name: default-registry-key
+  tolerations:
+    dcagent:
+      enabled: true
+conf:
+  dcagent:
+    DEFAULT:
+      log_config_append: /etc/dcagent/logging.conf
+      auth_strategy: keystone
+      workers: 1
+    keystone_authtoken:
+      auth_uri: http://controller.internal:5000
+      auth_url: http://controller.internal:5000
+      auth_type: password
+      region_name: ${OS_REGION_NAME}
+      username: dcagent
+      password: ${DCAGENT_KS_PASSWORD}
+      project_name: services
+      user_domain_name: Default
+      project_domain_name: Default
+    endpoint_cache:
+      auth_uri: http://controller.internal:5000/v3
+      auth_plugin: password
+      region_name: ${OS_REGION_NAME}
+      username: dcagent
+      password: ${DCAGENT_KS_PASSWORD}
+      user_domain_name: Default
+      project_name: services
+      project_domain_name: Default
+      http_connect_timeout: 15
+dependencies:
+  static:
+    api:
+      jobs:
+        - dcagent-ks-user
+        - dcagent-ks-service
+        - dcagent-ks-endpoints
+    ks_endpoints:
+      jobs:
+        - dcagent-ks-user
+        - dcagent-ks-service
+endpoints:
+  cluster_domain_suffix: cluster.local
+  identity:
+    name: keystone
+    auth:
+      admin:
+        username: admin
+        password: ${ADMIN_KS_PASSWORD}
+        region_name: ${OS_REGION_NAME}
+        project_name: admin
+        user_domain_name: Default
+        project_domain_name: Default
+      dcagent:
+        role: admin
+        username: dcagent
+        password: ${DCAGENT_KS_PASSWORD}
+        region_name: ${OS_REGION_NAME}
+        project_name: services
+        user_domain_name: Default
+        project_domain_name: Default
+    hosts:
+      default: keystone-api
+      public: keystone
+    host_fqdn_override:
+      default: controller.internal
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  dcagent:
+    name: dcagent
+    hosts:
+      default: dcagent-api
+      public: dcagent
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v1
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8325
+        public: 80
+
+EOF
+
 ```
 
 ```bash
 system helm-override-update distributed-cloud dcmanager distributed-cloud --values dcmanager.yaml
 system helm-override-update distributed-cloud dcorch distributed-cloud --values dcorch.yaml
+system helm-override-update distributed-cloud dcdbsync distributed-cloud --values dcdbsync.yaml
+system helm-override-update distributed-cloud dcagent distributed-cloud --values dcagent.yaml
 
 system helm-override-show distributed-cloud dcmanager distributed-cloud
 system helm-override-show distributed-cloud dcorch distributed-cloud
+system helm-override-show distributed-cloud dcdbsync distributed-cloud
+system helm-override-show distributed-cloud dcagent distributed-cloud
 ```
 
 ## Apply app-distributed-cloud
 
+
 ```bash
 system application-apply distributed-cloud
 system application-show distributed-cloud

python3-k8sapp-distributed-cloud/k8sapp_distributed_cloud/k8sapp_distributed_cloud/common/constants.py

@@ -8,10 +8,14 @@
 # These values match the names in the chart package's Chart.yaml
 HELM_CHART_DCMANAGER = 'dcmanager'
 HELM_CHART_DCORCH = 'dcorch'
+HELM_CHART_DCDBSYNC = 'dcdbsync'
+HELM_CHART_DCAGENT = 'dcagent'
 
 # FluxCD
 FLUXCD_HELM_RELEASE_DCMANAGER = 'dcmanager'
 FLUXCD_HELM_RELEASE_DCORCH = 'dcorch'
+FLUXCD_HELM_RELEASE_DCDBSYNC = 'dcdbsync'
+FLUXCD_HELM_RELEASE_DCAGENT = 'dcagent'
 
 # Namespace to deploy the application
 HELM_NS_DISTCLOUD = 'distributed-cloud'
@@ -21,6 +25,8 @@ HELM_APP_DISTCLOUD = 'distributed-cloud'
 
 # Application Services
 HELM_SERVICE_DCMANAGER_API = "dcmanager-api"
+HELM_SERVICE_DCDBSYNC_API = "dcdbsync-api"
+HELM_SERVICE_DCAGENT_API = "dcagent-api"
 
 # Application component label
 HELM_LABEL_PARAMETER = 'labels'

python3-k8sapp-distributed-cloud/k8sapp_distributed_cloud/k8sapp_distributed_cloud/helm/dcagent.py

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from . import base
+
+from k8sapp_distributed_cloud.common import constants as app_constants
+
+
+class DCAgentHelm(base.DistributedCloudHelm):
+
+    @property
+    def CHART(self):
+        return app_constants.HELM_CHART_DCAGENT
+
+    @property
+    def HELM_RELEASE(self):
+        return app_constants.FLUXCD_HELM_RELEASE_DCAGENT

python3-k8sapp-distributed-cloud/k8sapp_distributed_cloud/k8sapp_distributed_cloud/helm/dcdbsync.py

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from . import base
+
+from k8sapp_distributed_cloud.common import constants as app_constants
+
+
+class DCDBSyncHelm(base.DistributedCloudHelm):
+
+    @property
+    def CHART(self):
+        return app_constants.HELM_CHART_DCDBSYNC
+
+    @property
+    def HELM_RELEASE(self):
+        return app_constants.FLUXCD_HELM_RELEASE_DCDBSYNC

python3-k8sapp-distributed-cloud/k8sapp_distributed_cloud/setup.cfg

@@ -32,6 +32,8 @@ systemconfig.helm_applications =
 systemconfig.helm_plugins.distributed_cloud =
     001_dcmanager = k8sapp_distributed_cloud.helm.dcmanager:DCManagerHelm
     002_dcorch = k8sapp_distributed_cloud.helm.dcorch:DCOrchHelm
+    003_dcdbsync = k8sapp_distributed_cloud.helm.dcdbsync:DCDBSyncHelm
+    004_dcagent = k8sapp_distributed_cloud.helm.dcagent:DCAgentHelm
 
 systemconfig.app_lifecycle =
     distributed-cloud = k8sapp_distributed_cloud.lifecycle.lifecycle_distributed_cloud:DistributedCloudAppLifecycleOperator

stx-distributed-cloud-helm/stx-distributed-cloud-helm/files/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 Wind River Systems, Inc.
+# Copyright (c) 2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -21,3 +21,9 @@ behavior:
     triggers:
     - type: host-label-assign
     - type: host-modify
+
+disabled_charts:
+  - dcmanager
+  - dcorch
+  - dcdbsync
+  - dcagent

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcagent/dcagent-static-overrides.yaml

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+pod:
+  image_pull_secrets:
+    default:
+      - name: default-registry-key
+  tolerations:
+    dcagent:
+      enabled: true
+
+endpoints:
+  identity:
+    auth:
+      admin:
+        username: admin
+      dcmanager:
+        username: dcagent

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcagent/dcagent-system-overrides.yaml

@@ -0,0 +1,5 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcagent/helmrelease.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: dcagent
+  labels:
+    chart_group: dcagent
+spec:
+  releaseName: dcagent
+  chart:
+    spec:
+      chart: dcagent
+      version: 0.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: stx-platform
+  interval: 1m
+  timeout: 30m
+  test:
+    enable: false
+  install:
+    disableHooks: false
+  upgrade:
+    disableHooks: false
+  valuesFrom:
+    - kind: Secret
+      name: dcagent-static-overrides
+      valuesKey: dcagent-static-overrides.yaml
+    - kind: Secret
+      name: dcagent-system-overrides
+      valuesKey: dcagent-system-overrides.yaml

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcagent/kustomization.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: distributed-cloud
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: dcagent-static-overrides
+    files:
+      - dcagent-static-overrides.yaml
+  - name: dcagent-system-overrides
+    files:
+      - dcagent-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcdbsync/dcdbsync-static-overrides.yaml

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+pod:
+  image_pull_secrets:
+    default:
+      - name: default-registry-key
+  tolerations:
+    dcdbsync:
+      enabled: true
+
+endpoints:
+  identity:
+    auth:
+      admin:
+        username: admin
+      dcdbsync:
+        username: dcdbsync

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcdbsync/dcdbsync-system-overrides.yaml

@@ -0,0 +1,5 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcdbsync/helmrelease.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+kind: HelmRelease
+metadata:
+  name: dcdbsync
+  labels:
+    chart_group: dcdbsync
+spec:
+  releaseName: dcdbsync
+  chart:
+    spec:
+      chart: dcdbsync
+      version: 0.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: stx-platform
+  interval: 1m
+  timeout: 30m
+  test:
+    enable: false
+  install:
+    disableHooks: false
+  upgrade:
+    disableHooks: false
+  valuesFrom:
+    - kind: Secret
+      name: dcdbsync-static-overrides
+      valuesKey: dcdbsync-static-overrides.yaml
+    - kind: Secret
+      name: dcdbsync-system-overrides
+      valuesKey: dcdbsync-system-overrides.yaml

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/dcdbsync/kustomization.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+namespace: distributed-cloud
+resources:
+  - helmrelease.yaml
+secretGenerator:
+  - name: dcdbsync-static-overrides
+    files:
+      - dcdbsync-static-overrides.yaml
+  - name: dcdbsync-system-overrides
+    files:
+      - dcdbsync-system-overrides.yaml
+generatorOptions:
+  disableNameSuffixHash: true

stx-distributed-cloud-helm/stx-distributed-cloud-helm/fluxcd-manifests/kustomization.yaml

@@ -11,4 +11,6 @@ resources:
   - base
   - dcmanager
   - dcorch
+  - dcdbsync
   - dc-vault-nginx
+  - dcagent

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/Makefile

@@ -1,7 +1,5 @@
 #
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Copyright (c) 2024 Wind River Systems, Inc.
+# Copyright (c) 2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dc-vault-nginx/values.yaml

@@ -14,12 +14,9 @@ nginx:
   autoindex_exact_size: "off"
   autoindex_localtime: "on"
 
-imagePullSecrets:
-  - name: default-registry-key
-
 service:
   name: "dc-vault-nginx-service"
-  type: NodePort     # "ClusterIP" or "NodePort"
+  type: NodePort
   port: 8125
   nodePort: 30080
   externalPolicyLocal: false

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: dcagent
+description: StarlingX Distributed Cloud Agent Service
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0"
+
+dependencies:
+  - name: helm-toolkit
+    version: ">= 0.1.0"
+    repository: file://../helm-toolkit

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dcagent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dcagent.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dcagent.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dcagent.labels" -}}
+helm.sh/chart: {{ include "dcagent.chart" . }}
+{{ include "dcagent.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dcagent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dcagent.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dcagent.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dcagent.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/bin/_dcagent-api.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+exec python /var/lib/openstack/bin/dcagent-api --config-file=/etc/dcagent/dcagent.conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/configmap-bin.yaml

@@ -0,0 +1,21 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dcagent-bin
+data:
+  dcagent-api.sh: |
+{{ tuple "bin/_dcagent-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/dcagent-api.yaml

@@ -0,0 +1,109 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+{{- define "dcagentApiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "dcagent" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.dcagent_api }}
+{{- $envAll := . }}
+
+{{- $mounts_dcagent_api := .Values.pod.mounts.api.dcagent }}
+{{- $mounts_dcagent_api_init := .Values.pod.mounts.api.init_container }}
+
+{{- $serviceAccountName := "dcagent" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dcagent-api
+  labels:
+{{ tuple $envAll "dcagent" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.api }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcagent" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.api }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcagent" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_dcagent_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcagent
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/certs/ca-certificates.crt
+          volumeMounts:
+            - name: dcagent-bin
+              mountPath: /tmp/dcagent-api.sh
+              subPath: dcagent-api.sh
+              readOnly: true
+            - name: dcagent-etc
+              mountPath: /etc/dcagent/dcagent.conf
+              subPath: dcagent.conf
+              readOnly: true
+            - name: dcagent-etc
+              mountPath: /etc/dcagent/logging.conf
+              subPath: logging.conf
+              readOnly: true
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_dcagent_api.volumeMounts }}{{ toYaml $mounts_dcagent_api.volumeMounts | indent 12 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcagent.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "envAll" . "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "dcagentApiLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/dcagent-api.sh
+          image: "{{ .Values.images.tags.dcagent }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ tuple "dcagent" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+{{ tuple $envAll "dcagent" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcagent.node_selector_key }}: {{ .Values.labels.dcagent.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcagent.enabled }}
+{{ tuple $envAll "dcagent" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcagent" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcagent-etc
+          secret:
+            secretName: dcagent-etc
+            defaultMode: 0644
+        - name: dcagent-bin
+          configMap:
+            name: dcagent-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+{{ if $mounts_dcagent_api.volumes }}{{ toYaml $mounts_dcagent_api.volumes | indent 8 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcagent.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/dcagent-nginx-proxy.yaml

@@ -0,0 +1,72 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dcagent-nginx-proxy-conf
+data:
+  nginx.conf: |
+    events {}
+
+    http {
+      server {
+        listen 0.0.0.0:8325;
+        location / {
+          proxy_pass http://dcagent-api.distributed-cloud.svc.cluster.local:8325;
+        }
+      }
+    }
+
+{{- $envAll := . }}
+{{- $mounts_dcagent_nginx_proxy_init := .Values.pod.mounts.nginx_proxy.init_container }}
+{{- $serviceUser := "dcagent" }}
+
+{{- $serviceAccountNginxProxy := printf "%s-%s" $serviceUser "nginx-proxy" }}
+{{ tuple $envAll "nginx_proxy" $serviceAccountNginxProxy | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dcagent.fullname" . }}-nginx-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dcagent.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "dcagent.name" . }}-nginx-proxy
+  template:
+    metadata:
+      labels:
+        app: {{ include "dcagent.name" . }}-nginx-proxy
+        {{- include "dcagent.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: dcagent-nginx-proxy
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      nodeSelector:
+        {{ .Values.nginx_proxy.node_selector_key }}: {{ .Values.nginx_proxy.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "nginx_proxy" $mounts_dcagent_nginx_proxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nginx
+          image: {{ .Values.nginx_proxy.image }}
+          ports:
+            - containerPort: {{ .Values.nginx_proxy.port }}
+              hostPort: {{ .Values.nginx_proxy.port }}
+          volumeMounts:
+            - name: nginx-conf
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+      volumes:
+        - name: nginx-conf
+          configMap:
+            name: {{ include "dcagent.fullname" . }}-nginx-proxy-conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/job-ks-endpoints.yaml

@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "dcagent" "serviceTypes" ( tuple "dcagent" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.dcagent.api.public -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.dcagent.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/job-ks-service.yaml

@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "dcagent" "serviceTypes" ( tuple "dcagent" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.dcagent.api.public -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.dcagent.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/job-ks-user.yaml

@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "dcagent" -}}
+{{- if .Values.pod.tolerations.dcagent.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.dcagent.api.public -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/secret-etc.yaml

@@ -0,0 +1,65 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if empty .Values.conf.dcagent.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcagent.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcagent.keystone_authtoken "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "region_name" .Values.endpoints.identity.auth.dcagent.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "project_name" .Values.endpoints.identity.auth.dcagent.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.dcagent.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.dcagent.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "username" .Values.endpoints.identity.auth.dcagent.username -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "password" .Values.endpoints.identity.auth.dcagent.password -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.keystone_authtoken.interface -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "interface" (default "internal" .Values.endpoints.identity.auth.dcagent.interface) -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcagent.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.region_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "region_name" .Values.endpoints.identity.auth.dcagent.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.project_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "project_name" .Values.endpoints.identity.auth.dcagent.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.project_domain_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.dcagent.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.user_domain_name -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.dcagent.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.username -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "username" .Values.endpoints.identity.auth.dcagent.username -}}
+{{- end -}}
+{{- if empty .Values.conf.dcagent.endpoint_cache.password -}}
+{{- $_ := set .Values.conf.dcagent.keystone_authtoken "password" .Values.endpoints.identity.auth.dcagent.password -}}
+{{- end -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dcagent-etc
+type: Opaque
+data:
+  dcagent.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.dcagent | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/secret-keystone.yaml

@@ -0,0 +1,22 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "dcagent" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/templates/service.yaml

@@ -0,0 +1,31 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.service_dcagent }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "dcagent" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+  - name: dcagent-port
+    port: {{ .Values.network.dcagent.port }}
+    {{ if .Values.network.dcagent.node_port.enabled }}
+    nodePort: {{ .Values.network.dcagent.node_port.port }}
+    {{ end }}
+  selector:
+{{ tuple $envAll "dcagent" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.dcagent.node_port.enabled }}
+  type: NodePort
+  {{ if .Values.network.dcagent.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+  {{ end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcagent/values.yaml

@@ -0,0 +1,325 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default values for dcagent.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+images:
+  tags:
+    dcagent: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_user: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_service: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_endpoints: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+  pullPolicy: IfNotPresent
+  local_registry:
+    active: false
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+labels:
+  dcagent:
+    node_selector_key: starlingx.io/subcloud
+    node_selector_value: enabled
+  job:
+    node_selector_key: starlingx.io/subcloud
+    node_selector_value: enabled
+
+network:
+  dcagent:
+    ingress:
+      public: true
+      classes:
+        namespace: "dc-nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+    port: 8325
+    node_port:
+      enabled: false
+      port: 30325
+    external_policy_local: false
+
+ingress:
+  className: "dc-nginx"
+  enabled: true
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+  hosts:
+    - host: controller
+      paths:
+        - path: "/"
+          pathType: Prefix
+  tls: []
+
+volume: []
+
+conf:
+  dcagent:
+    DEFAULT:
+      log_config_append: /etc/dcagent/logging.conf
+      auth_strategy: keystone
+      workers: 1
+    keystone_authtoken:
+      auth_uri: http://controller.internal:5000
+      auth_url: http://controller.internal:5000
+      auth_type: password
+      region_name: RegionOne
+      username: dcagent
+      password: password
+      project_name: services
+      user_domain_name: Default
+      project_domain_name: Default
+    cache:
+      auth_uri: http://controller.internal:5000/v3
+    endpoint_cache:
+      auth_uri: http://controller.internal:5000/v3
+      auth_plugin: password
+      http_connect_timeout: 15
+      region_name: RegionOne
+      project_name: services
+      user_domain_name: Default
+      project_domain_name: Default
+
+  logging:
+    loggers:
+      keys:
+        - root
+        - dcagent
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_dcagent:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: dcagent
+    logger_eventletwsgi:
+      # The dcagent needs the INFO log from wsgi to see the requests content
+      level: INFO
+      handlers:
+        - stdout
+        - stderr
+      qualname: eventlet.wsgi.server
+    logger_keystoneauth:
+      level: ERROR
+      handlers: stderr
+      qualname: keystoneauth
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+    formatter_default:
+      format: "%(message)s"
+
+dependencies:
+  static:
+    api:
+      jobs:
+        - dcagent-ks-user
+        - dcagent-ks-service
+        - dcagent-ks-endpoints
+    ks_endpoints:
+      jobs:
+        - dcagent-ks-user
+        - dcagent-ks-service
+    nginx_proxy:
+      jobs:
+        - dcagent-ks-endpoints
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  dcagent_api: true
+  ingress: true
+  job_ks_user: true
+  job_ks_service: true
+  job_ks_endpoints: true
+  secret_etc: true
+  secret_ingress_tls: false
+  secret_keystone: true
+  service_dcagent: true
+  service_ingress: true
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  identity:
+    name: keystone
+    auth:
+      admin:
+        username: admin
+        password: password
+        region_name: RegionOne
+        project_name: admin
+        user_domain_name: Default
+        project_domain_name: Default
+      dcagent:
+        role: admin
+        username: dcagent
+        password: password
+        region_name: RegionOne
+        project_name: services
+        user_domain_name: Default
+        project_domain_name: Default
+    hosts:
+      default: keystone-api
+      public: keystone
+    host_fqdn_override:
+      default: controller.internal
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 5000
+        internal: 5000
+  dcagent:
+    name: dcagent
+    hosts:
+      default: dcagent-api
+      public: dcagent
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v1
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8325
+        public: 80
+
+pod:
+  probes:
+    api:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+  user:
+    api:
+      uid: 0
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  annotations: {}
+  tolerations:
+    dcagent:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+  mounts:
+    api:
+      init_container: null
+      dcagent:
+    nginx_proxy:
+      init_container: []
+  autoscaling:
+    enabled: false
+  replicas:
+    api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        compute:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+    disruption_budget:
+        dcagent:
+        min_available: 0
+    termination_grace_period:
+        dcagent:
+        timeout: 30
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    jobs:
+      ks_endpoints:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+secrets:
+  identity:
+    admin: dcagent-keystone-admin
+    dcagent: dcagent-keystone-user
+  tls:
+    dcagent:
+      api:
+        public: dcagent-api-tls-public
+        internal: dcagent-api-tls-internal
+
+ca_certificates:
+  root_ca: root-ca
+
+nginx_proxy:
+  port: 8325
+  image: nginx:stable-alpine
+  node_selector_key: starlingx.io/subcloud
+  node_selector_value: enabled

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: dcdbsync
+description: StarlingX Distributed Cloud Orchestrator Service
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0"
+
+dependencies:
+  - name: helm-toolkit
+    version: ">= 0.1.0"
+    repository: file://../helm-toolkit

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dcdbsync.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dcdbsync.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dcdbsync.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dcdbsync.labels" -}}
+helm.sh/chart: {{ include "dcdbsync.chart" . }}
+{{ include "dcdbsync.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dcdbsync.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dcdbsync.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dcdbsync.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dcdbsync.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/bin/_dcdbsync-api.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcdbsync-api --config-file=/etc/dcdbsync/dcdbsync.conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/configmap-bin.yaml

@@ -0,0 +1,21 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dcdbsync-bin
+data:
+  dcdbsync-api.sh: |
+{{ tuple "bin/_dcdbsync-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/dcdbsync-api.yaml

@@ -0,0 +1,114 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- define "DCDBSyncApiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "dcorch_dbsync" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.dcdbsync_api_deployment }}
+{{- $envAll := . }}
+
+{{- $mounts_dcdbsync_api := .Values.pod.mounts.api.dcdbsync }}
+{{- $mounts_dcdbsync_api_init := .Values.pod.mounts.api.init_container }}
+
+{{- $serviceAccountName := "dcdbsync-api" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dcdbsync-api
+  labels:
+{{ tuple $envAll "dcdbsync" "dcdbsync-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.dcdbsync_api }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcdbsync" "dcdbsync-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.dcdbsync_api }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcdbsync" "dcdbsync-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_dcdbsync_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcdbsync-api
+{{ tuple $envAll $envAll.Values.pod.resources.dcdbsync_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/certs/ca-certificates.crt
+          volumeMounts:
+            - name: dcdbsync-bin
+              mountPath: /tmp/dcdbsync-api.sh
+              subPath: dcdbsync-api.sh
+              readOnly: true
+            - name: dcdbsync-etc
+              mountPath: /etc/dcdbsync/dcdbsync.conf
+              subPath: dcdbsync.conf
+              readOnly: true
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_dcdbsync_api.volumeMounts }}{{ toYaml $mounts_dcdbsync_api.volumeMounts | indent 12 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcdbsync.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "envAll" . "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "DCDBSyncApiLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/dcdbsync-api.sh
+          image: "{{ .Values.images.tags.dcdbsync }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ tuple "dcorch_dbsync" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+{{ tuple $envAll "dcdbsync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+{{ if $envAll.Values.pod.tolerations.dcdbsync.enabled }}
+{{ tuple $envAll "dcdbsync" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcdbsync" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            {{- range $key := .Values.labels.dcdbsync.node_affinity_keys }}
+            - matchExpressions:
+              - key: {{ $key }}
+                operator: In
+                values:
+                - enabled
+            {{- end }}
+      volumes:
+        - name: dcdbsync-etc
+          secret:
+            secretName: dcdbsync-etc
+            defaultMode: 0644
+        - name: dcdbsync-bin
+          configMap:
+            name: dcdbsync-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+{{ if $mounts_dcdbsync_api.volumes }}{{ toYaml $mounts_dcdbsync_api.volumes | indent 8 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcdbsync.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/dcdbsync-nginx-proxy.yaml

@@ -0,0 +1,68 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dcdbsync-nginx-proxy-conf
+data:
+  nginx.conf: |
+    events {}
+
+    http {
+      server {
+        listen 0.0.0.0:8219;
+        location / {
+          proxy_pass http://dcdbsync-api.distributed-cloud.svc.cluster.local:8219;
+        }
+      }
+    }
+
+{{- $envAll := . }}
+{{- $mounts_dcdbsync_nginx_proxy_init := .Values.pod.mounts.nginx_proxy.init_container }}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dcdbsync.fullname" . }}-nginx-proxy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dcdbsync.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ include "dcdbsync.name" . }}-nginx-proxy
+  template:
+    metadata:
+      labels:
+        app: {{ include "dcdbsync.name" . }}-nginx-proxy
+        {{- include "dcdbsync.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: dcdbsync-nginx-proxy
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      nodeSelector:
+        {{ .Values.nginx_proxy.node_selector_key }}: {{ .Values.nginx_proxy.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "nginx_proxy" $mounts_dcdbsync_nginx_proxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: nginx
+          image: {{ .Values.nginx_proxy.image }}
+          ports:
+            - containerPort: {{ .Values.nginx_proxy.port }}
+              hostPort: {{ .Values.nginx_proxy.port }}
+          volumeMounts:
+            - name: nginx-conf
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+      volumes:
+        - name: nginx-conf
+          configMap:
+            name: {{ include "dcdbsync.fullname" . }}-nginx-proxy-conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/job-ks-endpoints.yaml

@@ -0,0 +1,101 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: dcdbsync-ks-endpoints
+  labels:
+{{ tuple . "dcdbsync" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  backoffLimit: 1000
+  template:
+    metadata:
+      labels:
+{{ tuple . "dcdbsync" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple . | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: dcdbsync-ks-endpoints
+      restartPolicy: OnFailure
+{{ tuple . "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{- if and .Values.labels.dcdbsync.node_affinity_keys .Values.labels.dcdbsync.node_affinity_values }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+{{- range $key := .Values.labels.dcdbsync.node_affinity_keys }}
+              - matchExpressions:
+                  - key: {{ $key }}
+                    operator: In
+                    values:
+{{ toYaml $.Values.labels.dcdbsync.node_affinity_values | indent 22 }}
+{{- end }}
+{{- end }}
+{{- if .Values.pod.tolerations.dcdbsync.enabled }}
+{{ tuple . "dcdbsync" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end }}
+      initContainers:
+{{ tuple . "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+{{- range $type := tuple "dcorch-dbsync" }}
+{{- range $endpoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" $type "ks-endpoints" $endpoint }}
+          image: {{ $.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $.Values.images.pullPolicy }}
+{{ tuple $ $.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-endpoints.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-endpoints-sh
+              mountPath: /tmp/ks-endpoints.sh
+              subPath: ks-endpoints.sh
+              readOnly: true
+{{- if $.Values.manifests.certificates }}
+            - name: tls-certs
+              mountPath: /etc/ssl/certs/openstack-helm.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+          env:
+            - name: OS_SVC_ENDPOINT
+              value: {{ $endpoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: dcdbsync
+            - name: OS_SERVICE_TYPE
+              value: {{ $type | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $type $endpoint "api" $ | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- $useCA := ternary true false $.Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $.Values.secrets.identity.admin "useCA" $useCA }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-endpoints-sh
+          configMap:
+            name: dcdbsync-bin
+            defaultMode: 0555
+{{- if .Values.manifests.certificates }}
+        - name: tls-certs
+          secret:
+            secretName: {{ .Values.secrets.tls.dcdbsync.api.public }}
+            defaultMode: 0444
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/job-ks-service.yaml

@@ -0,0 +1,93 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_service }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: dcdbsync-ks-service
+  labels:
+{{ tuple . "dcdbsync" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  backoffLimit: 1000
+  template:
+    metadata:
+      labels:
+{{ tuple . "dcdbsync" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple . | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: dcdbsync-ks-service
+      restartPolicy: OnFailure
+{{ tuple . "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{- if and .Values.labels.dcdbsync.node_affinity_keys .Values.labels.dcdbsync.node_affinity_values }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+{{- range $key := .Values.labels.dcdbsync.node_affinity_keys }}
+              - matchExpressions:
+                  - key: {{ $key }}
+                    operator: In
+                    values:
+{{ toYaml $.Values.labels.dcdbsync.node_affinity_values | indent 22 }}
+{{- end }}
+{{- end }}
+{{- if .Values.pod.tolerations.dcdbsync.enabled }}
+{{ tuple . "dcdbsync" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end }}
+      initContainers:
+{{ tuple . "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcorch-dbsync-ks-service-registration
+          image: {{ .Values.images.tags.ks_service }}
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+{{ tuple . .Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-service.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-service-sh
+              mountPath: /tmp/ks-service.sh
+              subPath: ks-service.sh
+              readOnly: true
+{{- if .Values.manifests.certificates }}
+            - name: tls-certs
+              mountPath: /etc/ssl/certs/openstack-helm.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+          env:
+            - name: OS_SERVICE_NAME
+              value: {{ include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" (tuple "dcorch-dbsync" .) }}
+            - name: OS_SERVICE_TYPE
+              value: "dcorch-dbsync"
+{{- $useCA := ternary true false .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" $useCA }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-service-sh
+          configMap:
+            name: dcdbsync-bin
+            defaultMode: 0555
+{{- if .Values.manifests.certificates }}
+        - name: tls-certs
+          secret:
+            secretName: {{ .Values.secrets.tls.dcdbsync.api.public }}
+            defaultMode: 0444
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/job-ks-user.yaml

@@ -0,0 +1,104 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_user }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: dcdbsync-ks-user
+  labels:
+{{ tuple . "dcdbsync" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  backoffLimit: 1000
+  template:
+    metadata:
+      labels:
+{{ tuple . "dcdbsync" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ tuple . | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+    spec:
+      serviceAccountName: dcdbsync-ks-user
+{{ dict "envAll" . "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      restartPolicy: OnFailure
+{{ tuple . "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{- if and .Values.labels.dcdbsync.node_affinity_keys .Values.labels.dcdbsync.node_affinity_values }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+{{- range $key := .Values.labels.dcdbsync.node_affinity_keys }}
+              - matchExpressions:
+                  - key: {{ $key }}
+                    operator: In
+                    values:
+{{ toYaml $.Values.labels.dcdbsync.node_affinity_values | indent 22 }}
+{{- end }}
+{{- end }}
+{{- if .Values.pod.tolerations.dcdbsync.enabled }}
+{{ tuple . "dcdbsync" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end }}
+      initContainers:
+{{ tuple . "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: ks-user
+          image: {{ .Values.images.tags.ks_user }}
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+{{ tuple . .Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" . "application" "ks_user" "container" "ks-user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /bin/bash
+            - -c
+            - /tmp/ks-user.sh
+          volumeMounts:
+            - name: pod-tmp
+              mountPath: /tmp
+            - name: ks-user-sh
+              mountPath: /tmp/ks-user.sh
+              subPath: ks-user.sh
+              readOnly: true
+{{- if .Values.manifests.certificates }}
+            - name: tls-certs
+              mountPath: /etc/ssl/certs/openstack-helm.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+          env:
+            - name: OS_IDENTITY_API_VERSION
+              value: "3"
+            - name: SERVICE_OS_SERVICE_NAME
+              value: dcdbsync
+{{- $useCA := ternary true false .Values.manifests.certificates }}
+
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" $useCA }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.dcdbsync "useCA" $useCA }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+
+
+            - name: SERVICE_OS_ROLES
+              value: admin
+      volumes:
+        - name: pod-tmp
+          emptyDir: {}
+        - name: ks-user-sh
+          configMap:
+            name: dcdbsync-bin
+            defaultMode: 0555
+{{- if .Values.manifests.certificates }}
+        - name: tls-certs
+          secret:
+            secretName: {{ .Values.secrets.tls.dcdbsync.api.public }}
+            defaultMode: 0444
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/secret-etc.yaml

@@ -0,0 +1,70 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcdbsync.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcdbsync.keystone_authtoken "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.region_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "region_name" .Values.endpoints.identity.auth.dcdbsync.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.project_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "project_name" .Values.endpoints.identity.auth.dcdbsync.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.project_domain_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.dcdbsync.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.user_domain_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.dcdbsync.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.username -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "username" .Values.endpoints.identity.auth.dcdbsync.username -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.password -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "password" .Values.endpoints.identity.auth.dcdbsync.password -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.keystone_authtoken.interface -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "interface" (default "internal" .Values.endpoints.identity.auth.dcdbsync.interface) -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.auth_uri -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.dcdbsync.keystone_authtoken "auth_uri" -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.region_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "region_name" .Values.endpoints.identity.auth.dcdbsync.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.project_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "project_name" .Values.endpoints.identity.auth.dcdbsync.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.project_domain_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.dcdbsync.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.user_domain_name -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.dcdbsync.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.username -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "username" .Values.endpoints.identity.auth.dcdbsync.username -}}
+{{- end -}}
+{{- if empty .Values.conf.dcdbsync.endpoint_cache.password -}}
+{{- $_ := set .Values.conf.dcdbsync.keystone_authtoken "password" .Values.endpoints.identity.auth.dcdbsync.password -}}
+{{- end -}}
+
+{{- if empty .Values.conf.dcdbsync.database.connection -}}
+{{- $connection := tuple "sql_alchemy" "internal" "keystone" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $_ := set .Values.conf.dcdbsync.database "connection" $connection -}}
+{{- end -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dcdbsync-etc
+type: Opaque
+data:
+  dcdbsync.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.dcdbsync | b64enc }}
+  logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/secret-keystone.yaml

@@ -0,0 +1,22 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "dcdbsync" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/service.yaml

@@ -0,0 +1,29 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.service_dcdbsync }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "dcorch-dbsync" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  type: {{ if .Values.network.dcdbsync_api.node_port.enabled }}NodePort{{ else }}ClusterIP{{ end }}
+  ports:
+    - name: dcdbsync-api
+      port: {{ .Values.network.dcdbsync_api.port }}
+      targetPort: {{ .Values.network.dcdbsync_api.port }}
+      {{- if .Values.network.dcdbsync_api.node_port.enabled }}
+      nodePort: {{ .Values.network.dcdbsync_api.node_port.port }}
+      {{- end }}
+  selector:
+{{ tuple . "dcdbsync" "dcdbsync-api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  {{ if .Values.network.dcdbsync_api.external_policy_local }}
+  externalTrafficPolicy: Local
+  {{ end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/templates/serviceaccounts.yaml

@@ -0,0 +1,24 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- $envAll := . }}
+{{- $serviceName := "dcdbsync" }}
+{{- $serviceUser := "dcdbsync" }}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" }}
+
+{{- $serviceAccountUser := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountUser | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+{{- $serviceAccountService := printf "%s-%s" $serviceUserPretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountService | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+{{- $serviceAccountEndpoints := printf "%s-%s" $serviceUserPretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountEndpoints | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+{{- $serviceAccountNginxProxy := printf "%s-%s" $serviceUserPretty "nginx-proxy" }}
+{{ tuple $envAll "nginx_proxy" $serviceAccountNginxProxy | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcdbsync/values.yaml

@@ -0,0 +1,336 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Default values for dcorch.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+images:
+  tags:
+    dcdbsync: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_user: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_service: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    ks_endpoints: docker.io/starlingx/stx-distributed-cloud:master-debian-stable-latest
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+  pullPolicy: IfNotPresent
+  local_registry:
+    active: false
+
+labels:
+  job:
+    node_selector_key: node-role.kubernetes.io/control-plane
+    node_selector_value: ""
+  dcdbsync:
+    node_affinity_keys:
+      - starlingx.io/subcloud
+      - starlingx.io/distributed-cloud
+    node_affinity_values:
+      - enabled
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+
+securityContext: {}
+
+network:
+  dcdbsync_api:
+    port: 8219
+    node_port:
+      enabled: true
+      port: 30219
+    external_policy_local: false
+
+volume: []
+
+conf:
+  dcdbsync:
+    DEFAULT:
+      debug: False
+      use_syslog: True
+      syslog_log_facility: local4
+      verbose: False
+      bind_port: 8219
+      auth_strategy: keystone
+    database:
+      connection_recycle_time: 3600
+      max_overflow: 10
+      max_pool_size: 5
+      idle_timeout: 3600
+    keystone_authtoken:
+      auth_uri: http://controller.internal:5000
+      region_name: RegionOne
+      include_service_catalog: false
+      auth_type: password
+      interface: internal
+      auth_url: http://controller.internal:5000
+      project_name: services
+      username: dcdbsync
+      user_domain_name: Default
+      project_domain_name: Default
+    cache:
+      auth_uri: http://controller.internal:5000/v3
+    endpoint_cache:
+      auth_uri: http://controller.internal:5000/v3
+      auth_plugin: password
+      http_connect_timeout: 15
+      region_name: RegionOne
+      project_name: services
+      user_domain_name: Default
+      project_domain_name: Default
+
+  logging:
+    loggers:
+      keys:
+        - root
+        - dcdbsync
+    handlers:
+      keys:
+        - stdout
+        - stderr
+        - "null"
+    formatters:
+      keys:
+        - context
+        - default
+    logger_root:
+      level: WARNING
+      handlers: 'null'
+    logger_dcdbsync:
+      level: INFO
+      handlers:
+        - stdout
+      qualname: dcdbsync
+    logger_eventletwsgi:
+      level: INFO
+      handlers:
+        - stdout
+        - stderr
+      qualname: eventlet.wsgi.server
+    logger_keystoneauth:
+      level: ERROR
+      handlers: stderr
+      qualname: keystoneauth
+    logger_sqlalchemy:
+      level: WARNING
+      handlers: stderr
+      qualname: sqlalchemy
+    handler_null:
+      class: logging.NullHandler
+      formatter: default
+      args: ()
+    handler_stdout:
+      class: StreamHandler
+      args: (sys.stdout,)
+      formatter: context
+    handler_stderr:
+      class: StreamHandler
+      args: (sys.stderr,)
+      formatter: context
+    formatter_context:
+      class: oslo_log.formatters.ContextFormatter
+    formatter_default:
+      format: "%(message)s"
+
+dependencies:
+  static:
+    api:
+      jobs:
+        - dcdbsync-ks-endpoints
+    ks_endpoints:
+      jobs:
+        - dcdbsync-ks-user
+        - dcdbsync-ks-service
+    nginx_proxy:
+      jobs:
+        - dcdbsync-ks-endpoints
+
+manifests:
+  certificates: false
+  configmap_bin: true
+  job_ks_endpoints_dcdbsync: true
+  dcdbsync_api_deployment: true
+  ingress: true
+  job_ks_user: true
+  job_ks_service: true
+  job_ks_endpoints: true
+  secret_etc: true
+  secret_db: true
+  secret_ingress_tls: false
+  secret_keystone: true
+  service_ingress: true
+  service_dcdbsync: true
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  dcorch_dbsync:
+    name: dcdbsync
+    hosts:
+      default: dcdbsync-api
+      internal: dcdbsync-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v1.0
+    scheme:
+      default: 'http'
+    port:
+      api:
+        default: 8219
+
+  sql_alchemy:
+    auth:
+      keystone:
+        username: admin-keystone
+        password: password
+    hosts:
+      default: postgresql
+    host_fqdn_override:
+      default: controller.internal
+    port:
+      postgresql:
+        default: 5432
+    path: /keystone
+    scheme: postgresql+psycopg2
+
+  identity:
+    name: keystone
+    auth:
+      admin:
+        username: admin
+        password: password
+        region_name: RegionOne
+        project_name: admin
+        user_domain_name: Default
+        project_domain_name: Default
+      dcdbsync:
+        role: admin
+        auth_url: http://controller.internal:5000/v3
+        username: dcdbsync
+        password: password
+        region_name: RegionOne
+        project_name: services
+        user_domain_name: Default
+        project_domain_name: Default
+        interface: internal
+    hosts:
+      default: keystone-api
+      public: keystone
+    host_fqdn_override:
+      default: controller.internal
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+
+pod:
+  probes:
+    api:
+      default:
+        liveness:
+          enabled: True
+          params:
+            initialDelaySeconds: 120
+            periodSeconds: 90
+            timeoutSeconds: 70
+  user:
+    api:
+      uid: 0
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  annotations: {}
+  tolerations:
+    dcdbsync:
+      enabled: false
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+  mounts:
+    api:
+      init_container: null
+      dcdbsync:
+    nginx_proxy:
+      init_container: []
+  autoscaling:
+    enabled: false
+  replicas:
+    dcdbsync_api: 1
+  lifecycle:
+    upgrades:
+      deployments:
+        revision_history: 3
+        pod_replacement_strategy: RollingUpdate
+        rolling_update:
+          max_unavailable: 1
+          max_surge: 3
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        compute:
+          enabled: true
+          min_ready_seconds: 0
+          max_unavailable: 1
+    disruption_budget:
+        dcorch:
+        min_available: 0
+    termination_grace_period:
+        dcorch:
+        timeout: 30
+  resources:
+    enabled: false
+    dcdbsync_api: []
+    jobs:
+      ks_endpoints: []
+
+secrets:
+  identity:
+    admin: dcdbsync-keystone-admin
+    dcdbsync: dcdbsync-keystone-user
+  oslo_db:
+    admin: dcorch-db-admin
+    dcorch: dcorch-db-user
+    dcmanager: dcmanager-keystone-user
+  oslo_messaging:
+    admin: dcorch-rabbitmq-admin
+    dcorch: dcorch-rabbitmq-user
+  tls:
+    dcdbsync:
+      api:
+        public: dcdbsync-api-tls-public
+        internal: dcdbsync-api-tls-internal
+
+ca_certificates:
+  root_ca: root-ca
+
+nginx_proxy:
+  port: 8219
+  image: nginx:stable-alpine
+  node_selector_key: starlingx.io/subcloud
+  node_selector_value: enabled

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/configmap-bin.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-api.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-audit-worker.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-audit.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-manager.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-orchestrator.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/deployment-state.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/ingress.yaml

@@ -1,3 +1,11 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "dcmanager.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-db-drop.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-db-init.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-db-sync.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-ks-endpoints.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-ks-service.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/job-ks-user.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/pvc-backup.yaml

@@ -1,19 +0,0 @@
-# {{/*
-# #
-# # SPDX-License-Identifier: Apache-2.0
-# #
-# */}}
-
-# {{- if and .Values.volume.backup.enabled .Values.manifests.pvc_backup }}
-# ---
-# kind: PersistentVolumeClaim
-# apiVersion: v1
-# metadata:
-#   name: dc-backup-pvc
-# spec:
-#   accessModes: {{ .Values.volume.backup.accessModes }}
-#   resources:
-#     requests:
-#       storage: {{ .Values.volume.backup.size }}
-#   storageClassName: {{ .Values.volume.backup.class_name }}
-# {{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/pvc-vault.yaml

@@ -1,19 +0,0 @@
-# {{/*
-# #
-# # SPDX-License-Identifier: Apache-2.0
-# #
-# */}}
-
-# {{- if and .Values.volume.vault.enabled .Values.manifests.pvc_vault }}
-# ---
-# kind: PersistentVolumeClaim
-# apiVersion: v1
-# metadata:
-#   name: dc-vault-pvc
-# spec:
-#   accessModes: {{ .Values.volume.vault.accessModes }}
-#   resources:
-#     requests:
-#       storage: {{ .Values.volume.vault.size }}
-#   storageClassName: {{ .Values.volume.vault.class_name }}
-# {{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/secret-db.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/secret-etc.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/secret-keystone.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/secret-rabbitmq.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}
@@ -17,4 +19,4 @@ type: Opaque
 data:
   RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "amqp" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
 {{- end }}
-{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/templates/service.yaml

@@ -1,5 +1,7 @@
 {{/*
 #
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
 # SPDX-License-Identifier: Apache-2.0
 #
 */}}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcmanager/values.yaml

@@ -383,84 +383,18 @@ pod:
         timeout: 30
   resources:
     enabled: false
-    api:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
-    manager:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
-    state:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
-    orchestrator:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
-    audit:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
-    audit_worker:
-      requests:
-        memory: "128Mi"
-        cpu: "100m"
-      limits:
-        memory: "1024Mi"
-        cpu: "2000m"
+    api: []
+    manager: []
+    state: []
+    orchestrator: []
+    audit: []
+    audit_worker: []
     jobs:
-      ks_endpoints:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
-      db_init:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
-      db_sync:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
-      db_drop:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
-      rabbit_init:
-        requests:
-          memory: "128Mi"
-          cpu: "100m"
-        limits:
-          memory: "1024Mi"
-          cpu: "2000m"
+      ks_endpoints: []
+      db_init: []
+      db_sync: []
+      db_drop: []
+      rabbit_init: []
 
 secrets:
   identity:

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_db-drop.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+dropdb -h 127.0.0.1 -Uroot dcorch

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_db-sync.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+dcorch-manage db_sync

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-api.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api --config-file=/etc/dcorch/dcorch.conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-engine-worker.sh.tpl

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+python /var/lib/openstack/bin/dcorch-engine-worker --config-file=/etc/dcorch/dcorch.conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-engine.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-engine --config-file=/etc/dcorch/dcorch.conf

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-identity-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=identity

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-patch-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=patching

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-sysinv-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=platform

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_dcorch-usm-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=usm

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_endpoint-update.sh.tpl

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+#
+# Copyright (c) 2019 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+# Get service id
+OS_SERVICE_ID=$( openstack service list -c Type -c ID -f value | \
+                 grep ${OS_SERVICE_TYPE} | cut -f1 -d" " )
+
+# Check if endpoint exists
+OS_ENDPOINT_ID=$( openstack endpoint list --service ${OS_SERVICE_TYPE} \
+                  --region ${OS_SERVICE_REGION} \
+                  --interface ${OS_SVC_ENDPOINT} -c ID -f value )
+
+# Delete the old endpoint
+if [[ -n "$OS_ENDPOINT_ID" ]]; then
+  openstack endpoint delete ${OS_ENDPOINT_ID}
+fi
+
+# Create the new endpoint
+OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+    --region=${OS_SERVICE_REGION} \
+    "${OS_SERVICE_ID}" \
+    ${OS_SVC_ENDPOINT} \
+    "${OS_SERVICE_ENDPOINT}" )
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_keystone-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=identity

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_patching-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=patching

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_sysinv-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=platform

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/bin/_usm-api-proxy.sh.tpl

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+{{/*
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+set -ex
+
+if ! update-ca-certificates --localcertsdir /etc/pki/ca-trust/source/anchors; then
+    echo "Failed to update CA certificates!" >&2
+    exit 1
+fi
+
+python /var/lib/openstack/bin/dcorch-api-proxy --config-file=/etc/dcorch/dcorch.conf --type=usm

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/configmap-bin.yaml

@@ -0,0 +1,43 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dcorch-bin
+data:
+  dcorch-api.sh: |
+{{ tuple "bin/_dcorch-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  dcorch-engine-worker.sh: |
+{{ tuple "bin/_dcorch-engine-worker.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  dcorch-engine.sh: |
+{{ tuple "bin/_dcorch-engine.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  keystone-api-proxy.sh: |
+{{ tuple "bin/_keystone-api-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  sysinv-api-proxy.sh: |
+{{ tuple "bin/_sysinv-api-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  patching-api-proxy.sh: |
+{{ tuple "bin/_patching-api-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  usm-api-proxy.sh: |
+{{ tuple "bin/_usm-api-proxy.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-init.py: |
+{{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
+  db-sync.sh: |
+{{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.sh: |
+{{ tuple "bin/_db-drop.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  db-drop.py: |
+{{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+  ks-service.sh: |
+{{- include "helm-toolkit.scripts.keystone_service" . | indent 4 }}
+  ks-endpoints.sh: |
+{{- include "helm-toolkit.scripts.keystone_endpoints" . | indent 4 }}
+  ks-user.sh: |
+{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
+  endpoint-update.sh: |
+{{ tuple "bin/_endpoint-update.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/dcorch-api.yaml

@@ -0,0 +1,137 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- define "dcOrchApiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "dcorch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.deployment_api }}
+{{- $envAll := . }}
+
+{{- $mounts_dcorch_api := .Values.pod.mounts.api.dcorch }}
+{{- $mounts_dcorch_api_init := .Values.pod.mounts.api.init_container }}
+
+{{- $serviceAccountName := "dcorch" }}
+{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dcorch-api
+  labels:
+{{ tuple $envAll "dcorch" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.api }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.api }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcorch" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "api" $mounts_dcorch_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcorch
+{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+          - name: SSL_CERT_FILE
+            value: /etc/ssl/certs/ca-certificates.crt
+          envFrom:
+            - secretRef:
+                name: dcorch-keystone-admin
+          volumeMounts:
+            - name: dcorch-bin
+              mountPath: /tmp/dcorch-api.sh
+              subPath: dcorch-api.sh
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+            - name: dc-vault-dir
+              mountPath: {{ .Values.conf.dcorch.vault.base_path }}
+            - name: dc-backup-dir
+              mountPath: {{ .Values.conf.dcorch.backup.base_path }}
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_dcorch_api.volumeMounts }}{{ toYaml $mounts_dcorch_api.volumeMounts | indent 12 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcorch.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "envAll" . "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "dcOrchApiLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/dcorch-api.sh
+          image: "{{ .Values.images.tags.dcorch }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ tuple "dcorch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcorch.node_selector_key }}: {{ .Values.labels.dcorch.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcorch.enabled }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcorch" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcorch-etc
+          secret:
+            secretName: dcorch-etc
+            defaultMode: 0644
+        - name: dcorch-bin
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+        {{- if and .Values.volume.vault.enabled  .Values.manifests.pvc_vault }}
+        - name: dc-vault-dir
+          persistentVolumeClaim:
+            claimName: dc-vault-pvc
+        {{- else }}
+        - name: dc-vault-dir
+          hostPath:
+            path: {{ .Values.conf.dcorch.vault.base_path }}
+            type: DirectoryOrCreate
+        {{- end }}
+        {{- if and .Values.volume.backup.enabled  .Values.manifests.pvc_backup }}
+        - name: dc-backup-dir
+          persistentVolumeClaim:
+            claimName: dc-backup-pvc
+        {{- else }}
+        - name: dc-backup-dir
+          hostPath:
+            path: {{ .Values.conf.dcorch.backup.base_path }}
+            type: DirectoryOrCreate
+        {{- end }}
+{{ if $mounts_dcorch_api.volumes }}{{ toYaml $mounts_dcorch_api.volumes | indent 8 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dcorch.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/dcorch-engine-worker.yaml

@@ -0,0 +1,98 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.deployment_engine }}
+{{- $envAll := . }}
+
+{{- $mounts_dcorch_engine := .Values.pod.mounts.engine.dcorch }}
+{{- $mounts_dcorch_engine_init := .Values.pod.mounts.engine.init_container }}
+
+{{- $serviceAccountName := "dcorch-engine-worker" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dcorch-engine-worker
+  labels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.dcorch_engine_worker }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.dcorch_engine }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "engine" $mounts_dcorch_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcorch
+{{ tuple $envAll $envAll.Values.pod.resources.dcorch_engine_worker | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/certs/ca-certificates.crt
+          volumeMounts:
+            - name: dcorch-bin
+              mountPath: /tmp/dcorch-engine-worker.sh
+              subPath: dcorch-engine-worker.sh
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+{{- if .Values.ca_certificates.root_ca }}
+            - name: ca-certs
+              mountPath: /etc/pki/ca-trust/source/anchors/ca-cert.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_dcorch_engine.volumeMounts }}{{ toYaml $mounts_dcorch_engine.volumeMounts | indent 12 }}{{ end }}
+          command:
+            - /tmp/dcorch-engine-worker.sh
+          image: "{{ .Values.images.tags.dcorch }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcorch.node_selector_key }}: {{ .Values.labels.dcorch.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcorch.enabled }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcorch-etc
+          secret:
+            secretName: dcorch-etc
+            defaultMode: 0644
+        - name: dcorch-bin
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: ca-certs
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+{{ if $mounts_dcorch_engine.volumes }}{{ toYaml $mounts_dcorch_engine.volumes | indent 8 }}{{ end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/dcorch-engine.yaml

@@ -0,0 +1,101 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.deployment_engine }}
+{{- $envAll := . }}
+
+{{- $mounts_dcorch_engine := .Values.pod.mounts.engine.dcorch }}
+{{- $mounts_dcorch_engine_init := .Values.pod.mounts.engine.init_container }}
+
+{{- $serviceAccountName := "dcorch-engine" }}
+{{ tuple $envAll "engine" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dcorch-engine
+  labels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.dcorch_engine }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.dcorch_engine }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "engine" $mounts_dcorch_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: dcorch
+{{ tuple $envAll $envAll.Values.pod.resources.dcorch_engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+          - name: SSL_CERT_FILE
+            value: /etc/ssl/certs/ca-certificates.crt
+          envFrom:
+            - secretRef:
+                name: dcorch-keystone-admin
+          volumeMounts:
+            - name: dcorch-bin
+              mountPath: /tmp/dcorch-engine.sh
+              subPath: dcorch-engine.sh
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_dcorch_engine.volumeMounts }}{{ toYaml $mounts_dcorch_engine.volumeMounts | indent 12 }}{{ end }}
+          command:
+            - /tmp/dcorch-engine.sh
+          image: "{{ .Values.images.tags.dcorch }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcorch.node_selector_key }}: {{ .Values.labels.dcorch.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcorch.enabled }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcorch" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcorch-etc
+          secret:
+            secretName: dcorch-etc
+            defaultMode: 0644
+        - name: dcorch-bin
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+{{ if $mounts_dcorch_engine.volumes }}{{ toYaml $mounts_dcorch_engine.volumes | indent 8 }}{{ end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-db-drop.yaml

@@ -0,0 +1,15 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_db_drop }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "dcorch" -}}
+{{- if .Values.pod.tolerations.dcorch.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-db-init.yaml

@@ -0,0 +1,15 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_db_init }}
+{{- $dbInitJob := dict "envAll" . "serviceName" "dcorch" -}}
+{{- if .Values.pod.tolerations.dcorch.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-db-sync.yaml

@@ -0,0 +1,15 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_db_sync }}
+{{- $dbSyncJob := dict "envAll" . "serviceName" "dcorch" -}}
+{{- if .Values.pod.tolerations.dcorch.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-endpoints-identity.yaml

@@ -0,0 +1,89 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints_identity }}
+{{- $envAll := . }}
+{{- $serviceName := "keystone-api-proxy" }}
+{{- $serviceRegion := $envAll.Values.endpoints.keystone_api_proxy.region_name }}
+{{- $nodeSelector := dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceName "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints_identity" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceName "ks-endpoints" | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      imagePullSecrets:
+        - name: default-registry-key
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := tuple "identity" }}
+{{- range $key2, $osRealServiceType := tuple "keystone_api_proxy" }}
+{{- range $key3, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" "keystone-proxy" "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/endpoint-update.sh
+          volumeMounts:
+            - name: endpoint-update-sh
+              mountPath: /tmp/endpoint-update.sh
+              subPath: endpoint-update.sh
+              readOnly: true
+          env:
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osRealServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: OS_SERVICE_REGION
+              value: {{ $serviceRegion | quote }}
+            - name: OS_AUTH_URL
+              value: http://controller.internal:5000/v3
+            - name: OS_USERNAME
+              value: "admin"
+            - name: OS_ENDPOINT_TYPE
+              value: "internal"
+            - name: OS_INTERFACE
+              value: "internal"
+            - name: OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: dcorch-keystone-admin
+                  key: OS_PASSWORD
+            - name: OS_PROJECT_NAME
+              value: "admin"
+            - name: OS_USER_DOMAIN_NAME
+              value: "Default"
+            - name: OS_PROJECT_DOMAIN_NAME
+              value: "Default"
+
+{{- end }}
+{{- end }}
+      volumes:
+        - name: endpoint-update-sh
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-endpoints-patching.yaml

@@ -0,0 +1,89 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints_patching }}
+{{- $envAll := . }}
+{{- $serviceName := "patching-api-proxy" }}
+{{- $serviceRegion := $envAll.Values.endpoints.patching_api_proxy.region_name }}
+{{- $nodeSelector := dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceName "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints_patching" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceName "ks-endpoints" | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      imagePullSecrets:
+        - name: default-registry-key
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := tuple "patching" }}
+{{- range $key2, $osRealServiceType := tuple "patching_api_proxy" }}
+{{- range $key3, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" "patching-proxy" "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/endpoint-update.sh
+          volumeMounts:
+            - name: endpoint-update-sh
+              mountPath: /tmp/endpoint-update.sh
+              subPath: endpoint-update.sh
+              readOnly: true
+          env:
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: "patching"
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osRealServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: OS_SERVICE_REGION
+              value: {{ $serviceRegion | quote }}
+            - name: OS_AUTH_URL
+              value: http://controller.internal:5000/v3
+            - name: OS_USERNAME
+              value: "admin"
+            - name: OS_ENDPOINT_TYPE
+              value: "internal"
+            - name: OS_INTERFACE
+              value: "internal"
+            - name: OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: dcorch-keystone-admin
+                  key: OS_PASSWORD
+            - name: OS_PROJECT_NAME
+              value: "admin"
+            - name: OS_USER_DOMAIN_NAME
+              value: "Default"
+            - name: OS_PROJECT_DOMAIN_NAME
+              value: "Default"
+
+{{- end }}
+{{- end }}
+      volumes:
+        - name: endpoint-update-sh
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-endpoints-sysinv.yaml

@@ -0,0 +1,89 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints_sysinv }}
+{{- $envAll := . }}
+{{- $serviceName := "sysinv-api-proxy" }}
+{{- $serviceRegion := $envAll.Values.endpoints.sysinv_api_proxy.region_name }}
+{{- $nodeSelector := dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceName "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints_sysinv" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceName "ks-endpoints" | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      imagePullSecrets:
+        - name: default-registry-key
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := tuple "platform" }}
+{{- range $key2, $osRealServiceType := tuple "sysinv_api_proxy" }}
+{{- range $key3, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" "sysinv-proxy" "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/endpoint-update.sh
+          volumeMounts:
+            - name: endpoint-update-sh
+              mountPath: /tmp/endpoint-update.sh
+              subPath: endpoint-update.sh
+              readOnly: true
+          env:
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: "sysinv"
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osRealServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: OS_SERVICE_REGION
+              value: {{ $serviceRegion | quote }}
+            - name: OS_AUTH_URL
+              value: http://controller.internal:5000/v3
+            - name: OS_USERNAME
+              value: "admin"
+            - name: OS_ENDPOINT_TYPE
+              value: "internal"
+            - name: OS_INTERFACE
+              value: "internal"
+            - name: OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: dcorch-keystone-admin
+                  key: OS_PASSWORD
+            - name: OS_PROJECT_NAME
+              value: "admin"
+            - name: OS_USER_DOMAIN_NAME
+              value: "Default"
+            - name: OS_PROJECT_DOMAIN_NAME
+              value: "Default"
+
+{{- end }}
+{{- end }}
+      volumes:
+        - name: endpoint-update-sh
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-endpoints-usm.yaml

@@ -0,0 +1,89 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_endpoints_usm }}
+{{- $envAll := . }}
+{{- $serviceName := "usm-api-proxy" }}
+{{- $serviceRegion := $envAll.Values.endpoints.usm_api_proxy.region_name }}
+{{- $nodeSelector := dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceName "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints_usm" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ printf "%s-%s" $serviceName "ks-endpoints" | quote }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      imagePullSecrets:
+        - name: default-registry-key
+      restartPolicy: OnFailure
+      nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+      containers:
+{{- range $key1, $osServiceType := tuple "usm" }}
+{{- range $key2, $osRealServiceType := tuple "usm_api_proxy" }}
+{{- range $key3, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+        - name: {{ printf "%s-%s-%s" "usm-proxy" "ks-endpoints" $osServiceEndPoint | quote }}
+          image: {{ $envAll.Values.images.tags.ks_endpoints }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+          command:
+            - /tmp/endpoint-update.sh
+          volumeMounts:
+            - name: endpoint-update-sh
+              mountPath: /tmp/endpoint-update.sh
+              subPath: endpoint-update.sh
+              readOnly: true
+          env:
+            - name: OS_SVC_ENDPOINT
+              value: {{ $osServiceEndPoint | quote }}
+            - name: OS_SERVICE_NAME
+              value: "usm"
+            - name: OS_SERVICE_TYPE
+              value: {{ $osServiceType | quote }}
+            - name: OS_SERVICE_ENDPOINT
+              value: {{ tuple $osRealServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+            - name: OS_SERVICE_REGION
+              value: {{ $serviceRegion | quote }}
+            - name: OS_AUTH_URL
+              value: http://controller.internal:5000/v3
+            - name: OS_USERNAME
+              value: "admin"
+            - name: OS_ENDPOINT_TYPE
+              value: "internal"
+            - name: OS_INTERFACE
+              value: "internal"
+            - name: OS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: dcorch-keystone-admin
+                  key: OS_PASSWORD
+            - name: OS_PROJECT_NAME
+              value: "admin"
+            - name: OS_USER_DOMAIN_NAME
+              value: "Default"
+            - name: OS_PROJECT_DOMAIN_NAME
+              value: "Default"
+
+{{- end }}
+{{- end }}
+      volumes:
+        - name: endpoint-update-sh
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0555
+{{- end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-service.yaml

@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_service }}
+{{- $ksServiceJob := dict "envAll" . "serviceName" "dcorch" "serviceTypes" ( tuple "dcorch" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.dcorch.api.public -}}
+{{- end -}}
+{{- if .Values.pod.tolerations.dcorch.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/job-ks-user.yaml

@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "dcorch" -}}
+{{- if .Values.pod.tolerations.dcorch.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.dcorch.api.public -}}
+{{- end -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/keystone-api-proxy.yaml

@@ -0,0 +1,116 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- define "KeystoneApiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "keystone_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.ks_deployment_api_proxy }}
+{{- $envAll := . }}
+
+{{- $mounts_keystone_api_proxy := .Values.pod.mounts.keystone_api_proxy.keystone_api_proxy }}
+{{- $mounts_keystone_api_proxy_init := .Values.pod.mounts.keystone_api_proxy.init_container }}
+
+{{- $serviceAccountName := "keystone-api-proxy" }}
+{{ tuple $envAll "keystone-api-proxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keystone-api-proxy
+  labels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.keystone_api_proxy }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.keystone_api_proxy }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "ks_endpoints_identity" $mounts_keystone_api_proxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: keystone-api-proxy
+{{ tuple $envAll $envAll.Values.pod.resources.keystone_api_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+          - name: SSL_CERT_FILE
+            value: /etc/ssl/certs/ca-certificates.crt
+          envFrom:
+            - secretRef:
+                name: dcorch-keystone-admin
+          volumeMounts:
+            - name: dcorch-bin
+              mountPath: /tmp/keystone-api-proxy.sh
+              subPath: keystone-api-proxy.sh
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_keystone_api_proxy.volumeMounts }}{{ toYaml $mounts_keystone_api_proxy.volumeMounts | indent 12 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.keystone_api_proxy.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "envAll" . "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "KeystoneApiLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/keystone-api-proxy.sh
+          image: "{{ .Values.images.tags.dcorch }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          ports:
+            - name: ks-proxy
+              containerPort: {{ tuple "keystone_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcorch.node_selector_key }}: {{ .Values.labels.dcorch.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcorch.enabled }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcorch" "keystone-api-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcorch-etc
+          secret:
+            secretName: dcorch-etc
+            defaultMode: 0644
+        - name: dcorch-bin
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+{{ if $mounts_keystone_api_proxy.volumes }}{{ toYaml $mounts_keystone_api_proxy.volumes | indent 8 }}{{ end }}
+{{- end }}

stx-distributed-cloud-helm/stx-distributed-cloud-helm/helm-charts/dcorch/templates/patching-api-proxy.yaml

@@ -0,0 +1,140 @@
+{{/*
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- define "PatchingApiLivenessProbeTemplate" }}
+tcpSocket:
+  port: {{ tuple "patching_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
+
+{{- if .Values.manifests.patching_deployment_api_proxy }}
+{{- $envAll := . }}
+
+{{- $mounts_patching_api_proxy := .Values.pod.mounts.patching_api_proxy.patching_api_proxy }}
+{{- $mounts_patching_api_proxy_init := .Values.pod.mounts.patching_api_proxy.init_container }}
+
+{{- $serviceAccountName := "patching-api-proxy" }}
+{{ tuple $envAll "patching-api-proxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: patching-api-proxy
+  labels:
+{{ tuple $envAll "dcorch" "patching-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  {{- if not .Values.pod.autoscaling.enabled }}
+  replicas: {{ .Values.pod.replicas.patching_api_proxy }}
+  {{- end }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "dcorch" "patching-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
+  template:
+    metadata:
+      {{- with .Values.pod.annotations.patching_api_proxy }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+{{ tuple $envAll "dcorch" "patching-api-proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      serviceAccountName: {{ $serviceAccountName }}
+      initContainers:
+{{ tuple $envAll "ks_endpoints_patching" $mounts_patching_api_proxy_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: patching-api-proxy
+{{ tuple $envAll $envAll.Values.pod.resources.patching_api_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+          - name: SSL_CERT_FILE
+            value: /etc/ssl/certs/ca-certificates.crt
+          envFrom:
+            - secretRef:
+                name: dcorch-keystone-admin
+          volumeMounts:
+            - name: dcorch-bin
+              mountPath: /tmp/patching-api-proxy.sh
+              subPath: patching-api-proxy.sh
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/dcorch.conf
+              subPath: dcorch.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/logging.conf
+              subPath: logging.conf
+              readOnly: true
+            - name: dcorch-etc
+              mountPath: /etc/dcorch/api-paste.ini
+              subPath: api-paste.ini
+              readOnly: true
+            - name: dc-vault-dir
+              mountPath: {{ .Values.conf.dcorch.vault.base_path }}
+            - name: dc-backup-dir
+              mountPath: {{ .Values.conf.dcorch.backup.base_path }}
+{{- if .Values.ca_certificates.root_ca }}
+            - name: root-ca
+              mountPath: /usr/local/share/ca-certificates/root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+{{- end }}
+{{ if $mounts_patching_api_proxy.volumeMounts }}{{ toYaml $mounts_patching_api_proxy.volumeMounts | indent 12 }}{{ end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.patching_api_proxy.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "envAll" . "component" "api" "container" "default" "type" "liveness" "probeTemplate" (include "PatchingApiLivenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+          command:
+            - /tmp/patching-api-proxy.sh
+          image: "{{ .Values.images.tags.dcorch }}"
+          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          ports:
+            - name: ks-proxy
+              containerPort: {{ tuple "patching_api_proxy" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+              protocol: TCP
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+      nodeSelector:
+        {{ .Values.labels.dcorch.node_selector_key }}: {{ .Values.labels.dcorch.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.dcorch.enabled }}
+{{ tuple $envAll "dcorch" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
+      affinity:
+        {{ tuple $envAll "dcorch" "patching-api-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+      volumes:
+        - name: dcorch-etc
+          secret:
+            secretName: dcorch-etc
+            defaultMode: 0644
+        - name: dcorch-bin
+          configMap:
+            name: dcorch-bin
+            defaultMode: 0755
+{{- if .Values.ca_certificates.root_ca }}
+        - name: root-ca
+          secret:
+            secretName: {{ .Values.ca_certificates.root_ca }}
+            defaultMode: 0644
+{{- end }}
+        {{- if and .Values.volume.vault.enabled  .Values.manifests.pvc_vault }}
+        - name: dc-vault-dir
+          persistentVolumeClaim:
+            claimName: dc-vault-pvc
+        {{- else }}
+        - name: dc-vault-dir
+          hostPath:
+            path: {{ .Values.conf.dcorch.vault.base_path }}
+            type: DirectoryOrCreate
+        {{- end }}
+        {{- if and .Values.volume.backup.enabled  .Values.manifests.pvc_backup }}
+        - name: dc-backup-dir
+          persistentVolumeClaim:
+            claimName: dc-backup-pvc
+        {{- else }}
+        - name: dc-backup-dir
+          hostPath:
+            path: {{ .Values.conf.dcorch.backup.base_path }}
+            type: DirectoryOrCreate
+        {{- end }}
+{{ if $mounts_patching_api_proxy.volumes }}{{ toYaml $mounts_patching_api_proxy.volumes | indent 8 }}{{ end }}
+{{- end }}