openstack/openstack-helm
Code Issues Proposed changes

Merge "[nova]: split service accounts from the main nova.conf"

Browse Source
This commit is contained in:
Zuul
2025-07-10 02:31:27 +00:00
committed by Gerrit Code Review
parent 85569c271a 76f7d6dc27
commit 077107f33f
18 changed files with 192 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl Normal file
View File

@@ -0,0 +1,43 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "helm-toolkit.manifests.secret_ks_etc" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $serviceUserSections := index . "serviceUserSections" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-ks-etc" $serviceNamePretty | quote }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
{{ tuple "ks_etc" $serviceName $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }}
type: Opaque
data:
{{- range $epName, $sectionName := $serviceUserSections }}
{{- $epAuth := index $envAll.Values.endpoints.identity.auth $epName -}}
{{- $configSection := dict
"region_name" $epAuth.region_name
"project_name" $epAuth.project_name
"project_domain_name" $epAuth.project_domain_name
"user_domain_name" $epAuth.user_domain_name
"username" $epAuth.username
"password" $epAuth.password
-}}
{{- $configSnippet := dict $sectionName $configSection }}
{{ printf "%s_%s.conf" $serviceName $sectionName | indent 2 }}: {{ include "helm-toolkit.utils.to_oslo_conf" $configSnippet | b64enc }}
{{- end }}
{{- end -}}

112
nova/templates/configmap-etc.yaml
View File

@@ -29,25 +29,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.region_name -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.project_name -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.project_domain_name -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.user_domain_name -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.username -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "username" .Values.endpoints.identity.auth.nova.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.password -}}
{{- $_ := set .Values.conf.nova.keystone_authtoken "password" .Values.endpoints.identity.auth.nova.password -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}}
{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}}
{{- end -}}
@@ -60,24 +41,6 @@ limitations under the License.
{{- if empty .Values.conf.nova.service_user.auth_url -}}
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.region_name -}}
{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.project_name -}}
{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.project_domain_name -}}
{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.user_domain_name -}}
{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.username -}}
{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.service_user.password -}}
{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}}
{{- end -}}
{{- end -}}
@@ -124,25 +87,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.region_name -}}
{{- $_ := set .Values.conf.nova.neutron "region_name" .Values.endpoints.identity.auth.neutron.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.project_name -}}
{{- $_ := set .Values.conf.nova.neutron "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.project_domain_name -}}
{{- $_ := set .Values.conf.nova.neutron "project_domain_name" .Values.endpoints.identity.auth.neutron.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.user_domain_name -}}
{{- $_ := set .Values.conf.nova.neutron "user_domain_name" .Values.endpoints.identity.auth.neutron.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.username -}}
{{- $_ := set .Values.conf.nova.neutron "username" .Values.endpoints.identity.auth.neutron.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.password -}}
{{- $_ := set .Values.conf.nova.neutron "password" .Values.endpoints.identity.auth.neutron.password -}}
{{- end -}}
{{- if empty .Values.conf.nova.cache.memcache_servers -}}
{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.cache "memcache_servers" -}}
{{- end -}}
@@ -159,25 +103,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.placement "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.region_name -}}
{{- $_ := set .Values.conf.nova.placement "region_name" .Values.endpoints.identity.auth.placement.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.project_name -}}
{{- $_ := set .Values.conf.nova.placement "project_name" .Values.endpoints.identity.auth.placement.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.project_domain_name -}}
{{- $_ := set .Values.conf.nova.placement "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.user_domain_name -}}
{{- $_ := set .Values.conf.nova.placement "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.username -}}
{{- $_ := set .Values.conf.nova.placement "username" .Values.endpoints.identity.auth.placement.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.placement.password -}}
{{- $_ := set .Values.conf.nova.placement "password" .Values.endpoints.identity.auth.placement.password -}}
{{- end -}}
{{- if eq .Values.console.console_kind "novnc"}}
{{- $_ := "true" | set .Values.conf.nova.vnc "enabled" -}}
{{- if empty .Values.conf.nova.vnc.novncproxy_base_url -}}
@@ -231,24 +156,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.region_name -}}
{{- $_ := set .Values.conf.nova.ironic "region_name" .Values.endpoints.identity.auth.ironic.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.project_name -}}
{{- $_ := set .Values.conf.nova.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.project_domain_name -}}
{{- $_ := set .Values.conf.nova.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.user_domain_name -}}
{{- $_ := set .Values.conf.nova.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.username -}}
{{- $_ := set .Values.conf.nova.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.password -}}
{{- $_ := set .Values.conf.nova.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
{{- end -}}
{{- if empty .Values.conf.nova.ironic.auth_type -}}
{{- $_ := set .Values.conf.nova.ironic "auth_type" .Values.endpoints.identity.auth.ironic.auth_type -}}
{{- end -}}
@@ -271,25 +178,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.cinder "auth_url" -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.os_region_name -}}
{{- $_ := set .Values.conf.nova.cinder "os_region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.project_name -}}
{{- $_ := set .Values.conf.nova.cinder "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.project_domain_name -}}
{{- $_ := set .Values.conf.nova.cinder "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.user_domain_name -}}
{{- $_ := set .Values.conf.nova.cinder "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.username -}}
{{- $_ := set .Values.conf.nova.cinder "username" .Values.endpoints.identity.auth.cinder.username -}}
{{- end -}}
{{- if empty .Values.conf.nova.cinder.password -}}
{{- $_ := set .Values.conf.nova.cinder "password" .Values.endpoints.identity.auth.cinder.password -}}
{{- end -}}
{{- end -}}
{{- end -}}

8
nova/templates/cron-job-archive-deleted-rows.yaml
View File

@@ -73,6 +73,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
- name: archive-deleted-rows-conf
mountPath: /etc/nova/logging.conf
subPath: logging.conf
@@ -93,6 +96,11 @@ spec:
- name: archive-deleted-rows-conf
secret:
secretName: nova-etc
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- end }}

8
nova/templates/cron-job-service-cleaner.yaml
View File

@@ -74,6 +74,9 @@ spec:
readOnly: true
- name: etcnova
mountPath: /etc/nova
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
volumes:
- name: pod-tmp
@@ -88,5 +91,10 @@ spec:
configMap:
name: nova-bin
defaultMode: 0555
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- end }}

8
nova/templates/daemonset-compute.yaml
View File

@@ -340,6 +340,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova-compute.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -512,6 +515,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- if .Values.network.ssh.enabled }}
- name: nova-ssh
secret:

11
nova/templates/deployment-api-metadata.yaml
View File

@@ -91,6 +91,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
containers:
@@ -143,6 +146,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -215,6 +221,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

8
nova/templates/deployment-api-osapi.yaml
View File

@@ -111,6 +111,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
- name: nova-etc
mountPath: /etc/nova/nova-api-uwsgi.ini
subPath: nova-api-uwsgi.ini
@@ -166,6 +169,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

8
nova/templates/deployment-conductor.yaml
View File

@@ -115,6 +115,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -140,6 +143,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

11
nova/templates/deployment-novncproxy.yaml
View File

@@ -92,6 +92,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.d
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -138,6 +141,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.d
readOnly: true
- name: nova-etc
mountPath: /etc/nova/logging.conf
subPath: logging.conf
@@ -168,6 +174,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: pod-usr-share-novnc
emptyDir: {}
- name: pod-shared

8
nova/templates/deployment-scheduler.yaml
View File

@@ -115,6 +115,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -140,6 +143,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

11
nova/templates/deployment-serialproxy.yaml
View File

@@ -90,6 +90,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -121,6 +124,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
- name: nova-etc
mountPath: /etc/nova/logging.conf
subPath: logging.conf
@@ -146,6 +152,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: pod-usr-share-serial
emptyDir: {}
- name: pod-shared

8
nova/templates/deployment-spiceproxy.yaml
View File

@@ -133,6 +133,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -157,6 +160,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: pod-usr-share-spice-html5
emptyDir: {}
- name: pod-shared

8
nova/templates/job-cell-setup.yaml
View File

@@ -103,6 +103,9 @@ spec:
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -124,6 +127,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: nova-bin
configMap:
name: nova-bin

2
nova/templates/job-nova-storage-init.yaml
View File

@@ -164,4 +164,4 @@ spec:
secretName: {{ .Values.ceph_client.user_secret_name }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

34
nova/templates/secret-ks-etc.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ks_etc }}
{{- $envAll := . -}}
{{/* the endpoints.identity.auth sections with the oslo conf sections they get rendered to */}}
{{- $ksUsers := dict
"nova" "keystone_authtoken"
"neutron" "neutron"
"placement" "placement"
"ironic" "ironic"
"cinder" "cinder"
-}}
{{- if .Values.conf.nova.service_user.send_service_user_token }}
{{- $_ := set $ksUsers "service" "service_user" -}}
{{- end }}
{{ dict
"envAll" $envAll
"serviceName" "nova"
"serviceUserSections" $ksUsers
| include "helm-toolkit.manifests.secret_ks_etc"
}}
{{- end }}

8
nova/templates/statefulset-compute-ironic.yaml
View File

@@ -74,6 +74,9 @@ spec:
mountPath: /etc/nova/nova-compute.conf
subPath: nova-compute.conf
readOnly: true
- name: nova-etc-snippets
mountPath: /etc/nova/nova.conf.d/
readOnly: true
{{- if .Values.conf.nova.DEFAULT.log_config_append }}
- name: nova-etc
mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }}
@@ -106,6 +109,11 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
- name: nova-etc-snippets
projected:
sources:
- secret:
name: nova-ks-etc
- name: varlibironic
hostPath:
path: /var/lib/ironic

1
nova/values.yaml
View File

@@ -2697,6 +2697,7 @@ manifests:
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_ks_etc: true
secret_rabbitmq: true
secret_registry: true
service_ingress_metadata: true

8
releasenotes/notes/nova-476f40003a31bc77.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
features:
- |
Split out the OpenStack service account definitions from nova.conf and into
config snippets which are loaded at /etc/nova/nova.d/, which is automatically
loaded by OSLO when loading the main nova.conf. This makes it easier for users
to use the regular config generation while supplying credentials out of band.
...