feat(nova): create a way for users to provide configs in nova.conf.d

Allow users to provide additional projected volumes to be mounted into the various deployments, statefulsets, and jobs that the nova chart has in the /etc/nova/nova.conf.d/ path. This allows for users to provide service account or database secrets via different operators as well as provide ways to use the chart to define common deployments while being able to have site specific overrides. Change-Id: Ic67f07f2add9267136a0b6130af87cbb36ea6680 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
2025-09-29 12:10:22 -05:00
parent eaff9dd646
commit 27123129db
14 changed files with 110 additions and 24 deletions
--- a/nova/templates/cron-job-archive-deleted-rows.yaml
+++ b/nova/templates/cron-job-archive-deleted-rows.yaml
@@ -17,6 +17,10 @@ limitations under the License.

 {{- $serviceAccountName := "nova-archive-deleted-rows-cron" }}
 {{ tuple $envAll "archive_deleted_rows" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $etcSources := .Values.pod.etcSources.nova_archive_deleted_rows }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: CronJob
@@ -96,11 +100,12 @@ spec:
            - name: archive-deleted-rows-conf
              secret:
                secretName: nova-etc
+{{- if $etcSources }}
            - name: nova-etc-snippets
              projected:
                sources:
-                  - secret:
-                      name: nova-ks-etc
+{{ toYaml $etcSources | indent 18 }}
+{{ end }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- end }}
--- a/nova/templates/cron-job-service-cleaner.yaml
+++ b/nova/templates/cron-job-service-cleaner.yaml
@@ -17,6 +17,10 @@ limitations under the License.

 {{- $serviceAccountName := "nova-service-cleaner" }}
 {{ tuple $envAll "service_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $etcSources := .Values.pod.etcSources.nova_service_cleaner }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: CronJob
@@ -91,10 +95,11 @@ spec:
              configMap:
                name: nova-bin
                defaultMode: 0555
+{{- if $etcSources }}
            - name: nova-etc-snippets
              projected:
                sources:
-                  - secret:
-                      name: nova-ks-etc
+{{ toYaml $etcSources | indent 18 }}
+{{ end }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- end }}
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -71,6 +71,10 @@ exec:

 {{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }}
 {{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_compute }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 ---
 apiVersion: apps/v1
@@ -521,11 +525,12 @@ spec:
          secret:
            secretName: {{ $configMapName }}
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        {{- if .Values.network.ssh.enabled }}
        - name: nova-ssh
          secret:
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -31,6 +31,10 @@ httpGet:

 {{- $mounts_nova_api_metadata := .Values.pod.mounts.nova_api_metadata.nova_api_metadata }}
 {{- $mounts_nova_api_metadata_init := .Values.pod.mounts.nova_api_metadata.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_api_metadata }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-api-metadata" }}
 {{ tuple $envAll "api_metadata" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -221,11 +225,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: pod-shared
          emptyDir: {}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@@ -31,6 +31,10 @@ httpGet:

 {{- $mounts_nova_api_osapi := .Values.pod.mounts.nova_api_osapi.nova_api_osapi }}
 {{- $mounts_nova_api_osapi_init := .Values.pod.mounts.nova_api_osapi.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_api_osapi }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-api-osapi" }}
 {{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -169,11 +173,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@@ -44,6 +44,10 @@ exec:

 {{- $mounts_nova_conductor := .Values.pod.mounts.nova_conductor.nova_conductor }}
 {{- $mounts_nova_conductor_init := .Values.pod.mounts.nova_conductor.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_conductor }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-conductor" }}
 {{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -147,11 +151,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
--- a/nova/templates/deployment-novncproxy.yaml
+++ b/nova/templates/deployment-novncproxy.yaml
@@ -27,6 +27,10 @@ tcpSocket:

 {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
 {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
+{{- $etcSources := .Values.pod.etcSources.nova_novncproxy }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}

@@ -174,11 +178,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: pod-usr-share-novnc
          emptyDir: {}
        - name: pod-shared
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@@ -44,6 +44,10 @@ exec:

 {{- $mounts_nova_scheduler := .Values.pod.mounts.nova_scheduler.nova_scheduler }}
 {{- $mounts_nova_scheduler_init := .Values.pod.mounts.nova_scheduler.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_scheduler }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-scheduler" }}
 {{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -147,11 +151,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
--- a/nova/templates/deployment-serialproxy.yaml
+++ b/nova/templates/deployment-serialproxy.yaml
@@ -27,6 +27,10 @@ tcpSocket:

 {{- $mounts_nova_serialproxy := .Values.pod.mounts.nova_serialproxy.nova_serialproxy }}
 {{- $mounts_nova_serialproxy_init := .Values.pod.mounts.nova_serialproxy.init_serialproxy }}
+{{- $etcSources := .Values.pod.etcSources.nova_serialproxy }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-serialproxy" }}
 {{ tuple $envAll "serialproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -152,11 +156,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: pod-usr-share-serial
          emptyDir: {}
        - name: pod-shared
--- a/nova/templates/deployment-spiceproxy.yaml
+++ b/nova/templates/deployment-spiceproxy.yaml
@@ -27,6 +27,10 @@ tcpSocket:

 {{- $mounts_nova_spiceproxy := .Values.pod.mounts.nova_spiceproxy.nova_spiceproxy }}
 {{- $mounts_nova_spiceproxy_init := .Values.pod.mounts.nova_spiceproxy.init_spiceproxy }}
+{{- $etcSources := .Values.pod.etcSources.nova_spiceproxy }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-spiceproxy" }}
 {{ tuple $envAll "spiceproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -160,11 +164,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: pod-usr-share-spice-html5
          emptyDir: {}
        - name: pod-shared
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@@ -17,6 +17,10 @@ limitations under the License.

 {{- $serviceAccountName := "nova-cell-setup" }}
 {{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- $etcSources := .Values.pod.etcSources.nova_cell_setup }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -127,11 +131,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: nova-bin
          configMap:
            name: nova-bin
--- a/nova/templates/statefulset-compute-ironic.yaml
+++ b/nova/templates/statefulset-compute-ironic.yaml
@@ -17,6 +17,10 @@ limitations under the License.

 {{- $mounts_nova_compute_ironic := .Values.pod.mounts.nova_compute_ironic.nova_compute_ironic }}
 {{- $mounts_nova_compute_ironic_init := .Values.pod.mounts.nova_compute_ironic.init_container }}
+{{- $etcSources := .Values.pod.etcSources.nova_compute_ironic }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }}
+{{- end }}

 {{- $serviceAccountName := "nova-compute-ironic" }}
 {{ tuple $envAll "compute_ironic" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -109,11 +113,12 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- if $etcSources }}
        - name: nova-etc-snippets
          projected:
            sources:
-              - secret:
-                  name: nova-ks-etc
+{{ toYaml $etcSources | indent 14 }}
+{{ end }}
        - name: varlibironic
          hostPath:
            path: /var/lib/ironic
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2386,6 +2386,25 @@ pod:
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
+  # -- This allows users to add Kubernetes Projected Volumes to be mounted at /etc/nova/nova.conf.d/
+  ## This is a list of projected volume source objects for each deployment/statefulset/job
+  ## https://kubernetes.io/docs/concepts/storage/projected-volumes/
+  etcSources:
+    nova_compute: []
+    nova_compute_ironic: []
+    nova_api_metadata: []
+    nova_api_osapi: []
+    nova_conductor: []
+    nova_scheduler: []
+    nova_bootstrap: []
+    nova_tests: []
+    nova_novncproxy: []
+    nova_serialproxy: []
+    nova_spiceproxy: []
+    nova_db_sync: []
+    nova_archive_deleted_rows: []
+    nova_service_cleaner: []
+    nova_cell_setup: []
  mounts:
    nova_compute:
      init_container: null
--- a/releasenotes/notes/nova-fc00bda9bb69988e.yaml
+++ b/releasenotes/notes/nova-fc00bda9bb69988e.yaml
@@ -0,0 +1,7 @@
+---
+nova:
+  - |
+    Allow users to add additional sources to the Projected Volume that is mounted
+    at /etc/nova/nova.conf.d/ so they may more easily override configs or provide
+    additional configs for the various services in the chart.
+...