openstack/openstack-helm
Code Issues Proposed changes

[htk] job_ks_user to create multiple users

Browse Source 
There could be scenarios when a chart needs to
create multiple service accounts. The PS modifies
the helm-toolkit job-ks-user manifest so it deploys
the job with multiple containers where every container
manages a single service account.

Also modify heat chart to align with the change.

Depends-on: I12eb9341d5ff633ad4435f4938bf8c946ea388ee
Change-Id: Icec59a93082ac213eed0531f129e8c44436e6ccc
This commit is contained in:
Vladimir Kozhukalov
2025-04-30 18:26:35 -05:00
parent 12830ffa15
commit a7f921d10b
6 changed files with 25 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
heat/templates/job-ks-user-trustee.yaml
View File

@@ -1,31 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- define "metadata.annotations.job.heat_trust" }}
helm.sh/hook: post-install,post-upgrade
{{- end }}
{{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
{{- end }}
{{- if .Values.pod.tolerations.heat.enabled -}}
{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

2
heat/templates/job-ks-user.yaml
View File

@@ -18,7 +18,7 @@ helm.sh/hook-weight: "-1"
{{- end }}
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" (tuple "heat" "heat_trustee") -}}
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}

7
heat/values.yaml
View File

@@ -584,7 +584,6 @@ dependencies:
- heat-db-sync
- heat-rabbit-init
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
- heat-bootstrap
@@ -600,7 +599,6 @@ dependencies:
- heat-db-sync
- heat-rabbit-init
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
- heat-bootstrap
@@ -616,7 +614,6 @@ dependencies:
- heat-db-sync
- heat-rabbit-init
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
- heat-bootstrap
@@ -650,7 +647,6 @@ dependencies:
- heat-db-sync
- heat-rabbit-init
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
- heat-bootstrap
@@ -665,7 +661,6 @@ dependencies:
jobs:
- heat-db-sync
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
services:
@@ -679,7 +674,6 @@ dependencies:
jobs:
- heat-db-sync
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
- heat-ks-endpoints
services:
@@ -710,7 +704,6 @@ dependencies:
trusts:
jobs:
- heat-ks-user
- heat-trustee-ks-user
- heat-domain-ks-user
services:
- endpoint: internal

36
helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
View File

@@ -18,41 +18,27 @@ limitations under the License.
# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
{{/*
# To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
# example:
# values: |
# pod:
# security_context:
# ks_user:
# pod:
# runAsUser: 65534
# To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
# example:
# values: |
# pod:
# security_context:
# ks_user:
# container:
# ks-user:
# runAsUser: 65534
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# This function creates a manifest for keystone user management.
# It can be used in charts as follows:
# {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" ( tuple "heat" "heat_trustee" ) -}}
# {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
*/}}
{{- define "helm-toolkit.manifests.job_ks_user" -}}
{{- $envAll := index . "envAll" -}}
{{- $serviceName := index . "serviceName" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $jobAnnotations := index . "jobAnnotations" -}}
{{- $jobLabels := index . "jobLabels" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
{{- $singleServiceUser := index . "serviceUser" | default $serviceName -}}
{{- $serviceUsers := index . "serviceUsers" | default (tuple $singleServiceUser) -}}
{{- $secretBin := index . "secretBin" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
{{- $restartPolicy_ := "OnFailure" -}}
{{- if hasKey $envAll.Values "jobs" -}}
{{- if hasKey $envAll.Values.jobs "ks_user" -}}
@@ -61,13 +47,13 @@ limitations under the License.
{{- end }}
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
{{- $serviceAccountName := printf "%s-ks-user" $serviceNamePretty }}
{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
name: {{ printf "%s-ks-user" $serviceNamePretty | quote }}
labels:
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- if $jobLabels }}
@@ -105,7 +91,8 @@ spec:
initContainers:
{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: ks-user
{{- range $serviceUser := $serviceUsers }}
- name: {{ printf "%s-ks-user" $serviceUser | replace "_" "-" | quote }}
image: {{ $envAll.Values.images.tags.ks_user }}
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -138,6 +125,7 @@ spec:
{{- else }}
value: {{ $serviceOsRoles | quote }}
{{- end }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}

7
releasenotes/notes/heat-5e861ec1ee8e2784.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
heat:
- |
Create heat and heat_trustee service users in a single job.
This is to align with the helm-toolkit change regarding
Keystone user creation job.
...

5
releasenotes/notes/helm-toolkit-a2810391532bd64a.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
helm-toolkit:
- |
Modify job_ks_user template to be able to create multiple Keystone users
...