diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml deleted file mode 100644 index 665be8171b..0000000000 --- a/heat/templates/job-ks-user-trustee.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- define "metadata.annotations.job.heat_trust" }} -helm.sh/hook: post-install,post-upgrade -{{- end }} - -{{- if .Values.manifests.job_ks_user_trustee }} -{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} -{{- if or .Values.manifests.certificates .Values.tls.identity -}} -{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} -{{- end -}} -{{- if .Values.helm3_hook }} -{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }} -{{- end }} -{{- if .Values.pod.tolerations.heat.enabled -}} -{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} -{{- end -}} -{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} -{{- end }} diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml index c5be1fea97..e3fdd6b07a 100644 --- a/heat/templates/job-ks-user.yaml +++ b/heat/templates/job-ks-user.yaml @@ -18,7 +18,7 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} +{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" (tuple "heat" "heat_trustee") -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} diff --git a/heat/values.yaml b/heat/values.yaml index 9d33c64767..5075c7e0fd 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -584,7 +584,6 @@ dependencies: - heat-db-sync - heat-rabbit-init - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints - heat-bootstrap @@ -600,7 +599,6 @@ dependencies: - heat-db-sync - heat-rabbit-init - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints - heat-bootstrap @@ -616,7 +614,6 @@ dependencies: - heat-db-sync - heat-rabbit-init - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints - heat-bootstrap @@ -650,7 +647,6 @@ dependencies: - heat-db-sync - heat-rabbit-init - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints - heat-bootstrap @@ -665,7 +661,6 @@ dependencies: jobs: - heat-db-sync - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: @@ -679,7 +674,6 @@ dependencies: jobs: - heat-db-sync - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user - heat-ks-endpoints services: @@ -710,7 +704,6 @@ dependencies: trusts: jobs: - heat-ks-user - - heat-trustee-ks-user - heat-domain-ks-user services: - endpoint: internal diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl index 58dcdc5c6d..31c120a000 100644 --- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl @@ -18,41 +18,27 @@ limitations under the License. # { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" } {{/* - # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml: - # example: - # values: | - # pod: - # security_context: - # ks_user: - # pod: - # runAsUser: 65534 - # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values: - # example: - # values: | - # pod: - # security_context: - # ks_user: - # container: - # ks-user: - # runAsUser: 65534 - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false +# This function creates a manifest for keystone user management. +# It can be used in charts as follows: +# {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" ( tuple "heat" "heat_trustee" ) -}} +# {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} */}} {{- define "helm-toolkit.manifests.job_ks_user" -}} {{- $envAll := index . "envAll" -}} {{- $serviceName := index . "serviceName" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $jobAnnotations := index . "jobAnnotations" -}} {{- $jobLabels := index . "jobLabels" -}} {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} {{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}} {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} -{{- $serviceUser := index . "serviceUser" | default $serviceName -}} +{{- $singleServiceUser := index . "serviceUser" | default $serviceName -}} +{{- $serviceUsers := index . "serviceUsers" | default (tuple $singleServiceUser) -}} {{- $secretBin := index . "secretBin" -}} {{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} -{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} {{- $restartPolicy_ := "OnFailure" -}} {{- if hasKey $envAll.Values "jobs" -}} {{- if hasKey $envAll.Values.jobs "ks_user" -}} @@ -61,13 +47,13 @@ limitations under the License. {{- end }} {{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}} -{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }} +{{- $serviceAccountName := printf "%s-ks-user" $serviceNamePretty }} {{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }} + name: {{ printf "%s-ks-user" $serviceNamePretty | quote }} labels: {{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{- if $jobLabels }} @@ -105,7 +91,8 @@ spec: initContainers: {{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - - name: ks-user +{{- range $serviceUser := $serviceUsers }} + - name: {{ printf "%s-ks-user" $serviceUser | replace "_" "-" | quote }} image: {{ $envAll.Values.images.tags.ks_user }} imagePullPolicy: {{ $envAll.Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} @@ -138,6 +125,7 @@ spec: {{- else }} value: {{ $serviceOsRoles | quote }} {{- end }} +{{- end }} volumes: - name: pod-tmp emptyDir: {} diff --git a/releasenotes/notes/heat-5e861ec1ee8e2784.yaml b/releasenotes/notes/heat-5e861ec1ee8e2784.yaml new file mode 100644 index 0000000000..46ef1a756d --- /dev/null +++ b/releasenotes/notes/heat-5e861ec1ee8e2784.yaml @@ -0,0 +1,7 @@ +--- +heat: + - | + Create heat and heat_trustee service users in a single job. + This is to align with the helm-toolkit change regarding + Keystone user creation job. +... diff --git a/releasenotes/notes/helm-toolkit-a2810391532bd64a.yaml b/releasenotes/notes/helm-toolkit-a2810391532bd64a.yaml new file mode 100644 index 0000000000..550120dbf3 --- /dev/null +++ b/releasenotes/notes/helm-toolkit-a2810391532bd64a.yaml @@ -0,0 +1,5 @@ +--- +helm-toolkit: + - | + Modify job_ks_user template to be able to create multiple Keystone users +...