From fef3d19e95b52f23aaad722859f9978e65e63147 Mon Sep 17 00:00:00 2001
From: Alexey Odinokov <aodinokov@mirantis.com>
Date: Fri, 19 Sep 2025 17:48:42 -0500
Subject: [PATCH] Deleting non-used dependecy on the secret with s3-admin

it appeared that the creds are not used and it's possible
to delete the dependency.

this is simpler alternative for
https://review.opendev.org/c/openstack/openstack-helm/+/961833

Change-Id: I181f95929ce642f865a8d47b52daf38ae608477c
Signed-off-by: Alexey Odinokov <aodinokov@mirantis.com>
---
 .../templates/bin/_create_s3_buckets.sh.tpl   |  2 --
 elasticsearch/values.yaml                     |  3 +-
 .../manifests/_job-s3-bucket.yaml.tpl         |  3 --
 .../templates/manifests/_job-s3-user.yaml.tpl |  3 --
 .../scripts/_create-s3-bucket.sh.tpl          | 35 -------------------
 .../notes/elasticsearch-ba314935c85c3b25.yaml |  7 ++++
 .../notes/helm-toolkit-5fa68b35be3378b3.yaml  | 15 ++++++++
 7 files changed, 23 insertions(+), 45 deletions(-)
 delete mode 100644 helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
 create mode 100644 releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
 create mode 100644 releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml

diff --git a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
index c21df06613..911e2a7bd8 100644
--- a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
+++ b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
@@ -31,8 +31,6 @@ function modify_bucket_acl () {
   s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
 }
 
-ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
-
 {{- $envAll := . }}
 {{- range $bucket := .Values.storage.s3.buckets }}
 
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 51707df7a0..094a11c137 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -401,7 +401,6 @@ network_policy:
 
 secrets:
   rgw:
-    admin: radosgw-s3-admin-creds
     elasticsearch: elasticsearch-s3-user-creds
   elasticsearch:
     user: elasticsearch-user-secrets
@@ -919,7 +918,7 @@ storage:
     #       # endpoint: Defaults to the ceph-rgw endpoint
     #       # protocol: Defaults to http
     #       path_style_access: true # Required for ceph-rgw S3 API
-    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint, authenticating using the secret named at .Values.secrets.rgw.admin
+    #     create_user: true # Attempt to create the user at the ceph_object_store endpoint
     #   backup:
     #     auth:
     #       username: elasticsearch
diff --git a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
index b5fdc09c32..e1e2c33e96 100644
--- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -86,9 +86,6 @@ spec:
             - -c
             - /tmp/create-s3-bucket.sh
           env:
-{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
-{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
-{{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
           volumeMounts:
             - name: pod-tmp
diff --git a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
index 77d1a71e98..6ed8e39704 100644
--- a/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -104,9 +104,6 @@ spec:
             - -c
             - /tmp/create-s3-user.sh
           env:
-{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
-{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
-{{- end }}
 {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
             - name: RGW_HOST
               value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
diff --git a/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
deleted file mode 100644
index bf1465b238..0000000000
--- a/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
+++ /dev/null
@@ -1,35 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-{{- define "helm-toolkit.scripts.create_s3_bucket" }}
-#!/bin/bash
-set -e
-CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
-if [ "$RGW_PROTO" = "http" ]; then
-  CONNECTION_ARGS+=" --no-ssl"
-else
-  CONNECTION_ARGS+=" --no-check-certificate"
-fi
-ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
-USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
-function check_rgw_s3_bucket () {
-  s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
-}
-function create_rgw_s3_bucket () {
-  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
-}
-function modify_bucket_acl () {
-  s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
-}
-check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
-{{- end }}
\ No newline at end of file
diff --git a/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml b/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
new file mode 100644
index 0000000000..816b7c5c20
--- /dev/null
+++ b/releasenotes/notes/elasticsearch-ba314935c85c3b25.yaml
@@ -0,0 +1,7 @@
+---
+elasticsearch:
+  - |
+    Elasticsearch job responsible for creation of s3 user and bucket
+    required a secret radosgw-s3-admin-creds to be created,
+    but its data wasn't used. Getting rid of this.
+...
diff --git a/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml b/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
new file mode 100644
index 0000000000..b829f3e767
--- /dev/null
+++ b/releasenotes/notes/helm-toolkit-5fa68b35be3378b3.yaml
@@ -0,0 +1,15 @@
+---
+helm-toolkit:
+  - |
+    Removing non-used script which allows to create bucket using admin user.
+    Actually any user can do this and there is better script which is
+    utilized by elasticsearch chart:
+    elasticsearch/templates/bin/_create_s3_buckets.sh.tpl
+    The only requirement is - to create the user.
+    Also, removing S3_ADMIN_<> env vars from job manifests
+    (see helm-toolkit.snippets.rgw_s3_admin_env_vars)
+    because those vars are not used by actual scripts.
+    We now use ceph.conf and keyring to create a user.
+    ceph.conf and keyring can be provisioned by either
+    ceph chart or ceph-adapter-rook chart.
+...