diff --git a/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl b/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl new file mode 100644 index 0000000000..d93c6a212e --- /dev/null +++ b/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl @@ -0,0 +1,43 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.secret_ks_etc" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceUserSections := index . "serviceUserSections" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-ks-etc" $serviceNamePretty | quote }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple "ks_etc" $serviceName $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- range $epName, $sectionName := $serviceUserSections }} +{{- $epAuth := index $envAll.Values.endpoints.identity.auth $epName -}} +{{- $configSection := dict + "region_name" $epAuth.region_name + "project_name" $epAuth.project_name + "project_domain_name" $epAuth.project_domain_name + "user_domain_name" $epAuth.user_domain_name + "username" $epAuth.username + "password" $epAuth.password +-}} +{{- $configSnippet := dict $sectionName $configSection }} +{{ printf "%s_%s.conf" $serviceName $sectionName | indent 2 }}: {{ include "helm-toolkit.utils.to_oslo_conf" $configSnippet | b64enc }} +{{- end }} +{{- end -}} diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 41fa28c5c9..75b8523f7d 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -29,25 +29,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.region_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "region_name" .Values.endpoints.identity.auth.nova.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.project_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "project_name" .Values.endpoints.identity.auth.nova.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.project_domain_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.user_domain_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.username -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "username" .Values.endpoints.identity.auth.nova.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.password -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "password" .Values.endpoints.identity.auth.nova.password -}} -{{- end -}} - {{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}} {{- end -}} @@ -60,24 +41,6 @@ limitations under the License. {{- if empty .Values.conf.nova.service_user.auth_url -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.service_user.region_name -}} -{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.project_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.username -}} -{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.password -}} -{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}} -{{- end -}} {{- end -}} @@ -124,25 +87,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.neutron.region_name -}} -{{- $_ := set .Values.conf.nova.neutron "region_name" .Values.endpoints.identity.auth.neutron.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.project_name -}} -{{- $_ := set .Values.conf.nova.neutron "project_name" .Values.endpoints.identity.auth.neutron.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.project_domain_name -}} -{{- $_ := set .Values.conf.nova.neutron "project_domain_name" .Values.endpoints.identity.auth.neutron.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.user_domain_name -}} -{{- $_ := set .Values.conf.nova.neutron "user_domain_name" .Values.endpoints.identity.auth.neutron.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.username -}} -{{- $_ := set .Values.conf.nova.neutron "username" .Values.endpoints.identity.auth.neutron.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.password -}} -{{- $_ := set .Values.conf.nova.neutron "password" .Values.endpoints.identity.auth.neutron.password -}} -{{- end -}} - {{- if empty .Values.conf.nova.cache.memcache_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.cache "memcache_servers" -}} {{- end -}} @@ -159,25 +103,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.placement "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.placement.region_name -}} -{{- $_ := set .Values.conf.nova.placement "region_name" .Values.endpoints.identity.auth.placement.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.project_name -}} -{{- $_ := set .Values.conf.nova.placement "project_name" .Values.endpoints.identity.auth.placement.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.project_domain_name -}} -{{- $_ := set .Values.conf.nova.placement "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.user_domain_name -}} -{{- $_ := set .Values.conf.nova.placement "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.username -}} -{{- $_ := set .Values.conf.nova.placement "username" .Values.endpoints.identity.auth.placement.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.password -}} -{{- $_ := set .Values.conf.nova.placement "password" .Values.endpoints.identity.auth.placement.password -}} -{{- end -}} - {{- if eq .Values.console.console_kind "novnc"}} {{- $_ := "true" | set .Values.conf.nova.vnc "enabled" -}} {{- if empty .Values.conf.nova.vnc.novncproxy_base_url -}} @@ -231,24 +156,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.ironic.region_name -}} -{{- $_ := set .Values.conf.nova.ironic "region_name" .Values.endpoints.identity.auth.ironic.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.project_name -}} -{{- $_ := set .Values.conf.nova.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.project_domain_name -}} -{{- $_ := set .Values.conf.nova.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.user_domain_name -}} -{{- $_ := set .Values.conf.nova.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.username -}} -{{- $_ := set .Values.conf.nova.ironic "username" .Values.endpoints.identity.auth.ironic.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.password -}} -{{- $_ := set .Values.conf.nova.ironic "password" .Values.endpoints.identity.auth.ironic.password -}} -{{- end -}} {{- if empty .Values.conf.nova.ironic.auth_type -}} {{- $_ := set .Values.conf.nova.ironic "auth_type" .Values.endpoints.identity.auth.ironic.auth_type -}} {{- end -}} @@ -271,25 +178,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.cinder "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.cinder.os_region_name -}} -{{- $_ := set .Values.conf.nova.cinder "os_region_name" .Values.endpoints.identity.auth.cinder.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.project_name -}} -{{- $_ := set .Values.conf.nova.cinder "project_name" .Values.endpoints.identity.auth.cinder.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.project_domain_name -}} -{{- $_ := set .Values.conf.nova.cinder "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.user_domain_name -}} -{{- $_ := set .Values.conf.nova.cinder "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.username -}} -{{- $_ := set .Values.conf.nova.cinder "username" .Values.endpoints.identity.auth.cinder.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.password -}} -{{- $_ := set .Values.conf.nova.cinder "password" .Values.endpoints.identity.auth.cinder.password -}} -{{- end -}} - {{- end -}} {{- end -}} diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml index cfaba7af14..9051fabf2c 100644 --- a/nova/templates/cron-job-archive-deleted-rows.yaml +++ b/nova/templates/cron-job-archive-deleted-rows.yaml @@ -73,6 +73,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: archive-deleted-rows-conf mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -93,6 +96,11 @@ spec: - name: archive-deleted-rows-conf secret: secretName: nova-etc + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml index 89adca003f..99d0339a64 100644 --- a/nova/templates/cron-job-service-cleaner.yaml +++ b/nova/templates/cron-job-service-cleaner.yaml @@ -74,6 +74,9 @@ spec: readOnly: true - name: etcnova mountPath: /etc/nova + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} volumes: - name: pod-tmp @@ -88,5 +91,10 @@ spec: configMap: name: nova-bin defaultMode: 0555 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 83af8f3c51..464c16ec15 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -340,6 +340,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova-compute.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -512,6 +515,11 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- if .Values.network.ssh.enabled }} - name: nova-ssh secret: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 8d7a3a7678..52a3ff6b73 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -91,6 +91,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: pod-shared mountPath: /tmp/pod-shared containers: @@ -143,6 +146,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -215,6 +221,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-shared emptyDir: {} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 10f50d7227..7c273172d4 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -111,6 +111,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: nova-etc mountPath: /etc/nova/nova-api-uwsgi.ini subPath: nova-api-uwsgi.ini @@ -166,6 +169,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 662028de2f..9a4570974b 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -115,6 +115,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -140,6 +143,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 5cd435d313..f07d23b2d8 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -92,6 +92,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.d + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -138,6 +141,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.d + readOnly: true - name: nova-etc mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -168,6 +174,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-novnc emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index f760c01a55..2e6c7e6fb3 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -115,6 +115,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -140,6 +143,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-serialproxy.yaml b/nova/templates/deployment-serialproxy.yaml index c969b5b664..22adb9076b 100644 --- a/nova/templates/deployment-serialproxy.yaml +++ b/nova/templates/deployment-serialproxy.yaml @@ -90,6 +90,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -121,6 +124,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: nova-etc mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -146,6 +152,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-serial emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 5c99dfb7e6..975148443f 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -133,6 +133,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -157,6 +160,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-spice-html5 emptyDir: {} - name: pod-shared diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index f6e51a4ff8..a2abeacab7 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -103,6 +103,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -124,6 +127,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/job-nova-storage-init.yaml b/nova/templates/job-nova-storage-init.yaml index 9748a5f45d..85810f4e5a 100644 --- a/nova/templates/job-nova-storage-init.yaml +++ b/nova/templates/job-nova-storage-init.yaml @@ -164,4 +164,4 @@ spec: secretName: {{ .Values.ceph_client.user_secret_name }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/nova/templates/secret-ks-etc.yaml b/nova/templates/secret-ks-etc.yaml new file mode 100644 index 0000000000..b3419e3f51 --- /dev/null +++ b/nova/templates/secret-ks-etc.yaml @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ks_etc }} +{{- $envAll := . -}} +{{/* the endpoints.identity.auth sections with the oslo conf sections they get rendered to */}} +{{- $ksUsers := dict + "nova" "keystone_authtoken" + "neutron" "neutron" + "placement" "placement" + "ironic" "ironic" + "cinder" "cinder" +-}} +{{- if .Values.conf.nova.service_user.send_service_user_token }} +{{- $_ := set $ksUsers "service" "service_user" -}} +{{- end }} +{{ dict + "envAll" $envAll + "serviceName" "nova" + "serviceUserSections" $ksUsers + | include "helm-toolkit.manifests.secret_ks_etc" +}} +{{- end }} diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml index 4936429a81..4c22627f96 100644 --- a/nova/templates/statefulset-compute-ironic.yaml +++ b/nova/templates/statefulset-compute-ironic.yaml @@ -74,6 +74,9 @@ spec: mountPath: /etc/nova/nova-compute.conf subPath: nova-compute.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -106,6 +109,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: varlibironic hostPath: path: /var/lib/ironic diff --git a/nova/values.yaml b/nova/values.yaml index cabaf72ac3..892bae384a 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2697,6 +2697,7 @@ manifests: secret_db: true secret_ingress_tls: true secret_keystone: true + secret_ks_etc: true secret_rabbitmq: true secret_registry: true service_ingress_metadata: true diff --git a/releasenotes/notes/nova-476f40003a31bc77.yaml b/releasenotes/notes/nova-476f40003a31bc77.yaml new file mode 100644 index 0000000000..3c9b690a97 --- /dev/null +++ b/releasenotes/notes/nova-476f40003a31bc77.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Split out the OpenStack service account definitions from nova.conf and into + config snippets which are loaded at /etc/nova/nova.d/, which is automatically + loaded by OSLO when loading the main nova.conf. This makes it easier for users + to use the regular config generation while supplying credentials out of band. +...