Charts to use their own service accounts

Currently charts create one user that
is used to get access to Keystone API to check auth
tokens and other services use this user
to get access to the service managed by this particular
chart.

So chart values must be aligned with each other. For
example when we deploy Neutron we use nova service
account managed by the Nova chart.

The spec [1] suggests charts by default to create
their own service accounts to get access to other APIs
instead of using service accounts managed by other charts.

[1] I12eb9341d5ff633ad4435f4938bf8c946ea388ee

This commit updates the following charts
- Neutron
- Nova
- Cinder

Depends-On: I12eb9341d5ff633ad4435f4938bf8c946ea388ee
Change-Id: Ic059b9bcd89084b0ccd1102ba57db7d3d1130af7

cinder/templates/configmap-etc.yaml

@@ -54,22 +54,22 @@ limitations under the License.
 {{- end }}
 
 {{- if empty $envAll.Values.conf.cinder.nova.region_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.cinder.region_name -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
 {{- end -}}
 {{- if empty $envAll.Values.conf.cinder.nova.project_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.cinder.project_name -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
 {{- end -}}
 {{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
 {{- end -}}
 {{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
 {{- end -}}
 {{- if empty $envAll.Values.conf.cinder.nova.username -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.cinder.username -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
 {{- end -}}
 {{- if empty $envAll.Values.conf.cinder.nova.password -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.cinder.password -}}
+{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
 {{- end -}}
 
 {{- if empty .Values.conf.cinder.database.connection -}}
@@ -97,19 +97,19 @@ limitations under the License.
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}}
-{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.swift.user_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}}
-{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.swift.username -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}}
-{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.swift.password -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}}
-{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.swift.project_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}}
-{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.swift.project_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}}
 {{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}}
@@ -125,22 +125,22 @@ limitations under the License.
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.region_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.project_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
+{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.username -}}
-{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}}
+{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}}
 {{- end -}}
 {{- if empty .Values.conf.cinder.service_user.password -}}
-{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}}
+{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}}
 {{- end -}}
 {{- end -}}
 

cinder/templates/job-ks-user.yaml

@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
 {{- end }}
 
 {{- if .Values.manifests.job_ks_user }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- $serviceUsers := (tuple "cinder" "nova") -}}
+{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }}
+{{- $serviceUsers = append $serviceUsers "swift" -}}
+{{- end }}
+{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
+{{- $serviceUsers = append $serviceUsers "service" -}}
+{{- end }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" "serviceUsers" $serviceUsers -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
 {{- end -}}

cinder/templates/secret-keystone.yaml

@@ -14,7 +14,7 @@ limitations under the License.
 
 {{- if .Values.manifests.secret_keystone }}
 {{- $envAll := . }}
-{{- range $key1, $userClass := tuple "admin" "cinder" "test" }}
+{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
 ---
 apiVersion: v1

cinder/values.yaml

@@ -1183,6 +1183,9 @@ secrets:
   identity:
     admin: cinder-keystone-admin
     cinder: cinder-keystone-user
+    nova: cinder-keystone-nova
+    swift: cinder-keystone-swift
+    service: cinder-keystone-service
     test: cinder-keystone-test
   oslo_db:
     admin: cinder-db-admin
@@ -1252,6 +1255,30 @@ endpoints:
         project_name: service
         user_domain_name: service
         project_domain_name: service
+      nova:
+        role: admin,service
+        region_name: RegionOne
+        project_name: service
+        username: cinder_nova
+        password: password
+        user_domain_name: service
+        project_domain_name: service
+      swift:
+        role: admin,service
+        region_name: RegionOne
+        project_name: service
+        username: cinder_swift
+        password: password
+        user_domain_name: service
+        project_domain_name: service
+      service:
+        role: admin,service
+        region_name: RegionOne
+        project_name: service
+        username: cinder_service_user
+        password: password
+        user_domain_name: service
+        project_domain_name: service
       test:
         role: admin
         region_name: RegionOne

neutron/templates/deployment-server.yaml

@@ -184,9 +184,11 @@ spec:
                 command:
                   - /tmp/neutron-server.sh
                   - stop
+{{- if not $envAll.Values.manifests.certificates }}
           ports:
             - name: q-api
               containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp

neutron/templates/job-ks-user.yaml

@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
 {{- end }}
 
 {{- if .Values.manifests.job_ks_user }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- $serviceUsers := (tuple "neutron" "nova" "placement") -}}
+{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
+{{- $serviceUsers = append $serviceUsers "designate" -}}
+{{- end -}}
+{{- if (has "baremetal" .Values.network.backend) -}}
+{{- $serviceUsers = append $serviceUsers "ironic" -}}
+{{- end -}}
+{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" "serviceUsers" $serviceUsers -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
 {{- end -}}

neutron/templates/secret-keystone.yaml

@@ -14,7 +14,7 @@ limitations under the License.
 
 {{- if .Values.manifests.secret_keystone }}
 {{- $envAll := . }}
-{{- range $key1, $userClass := tuple "admin" "neutron" "test" }}
+{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
 ---
 apiVersion: v1

neutron/values.yaml

@@ -2291,6 +2291,10 @@ secrets:
   identity:
     admin: neutron-keystone-admin
     neutron: neutron-keystone-user
+    nova: neutron-keystone-nova
+    placement: neutron-keystone-placement
+    designate: neutron-keystone-designate
+    ironic: neutron-keystone-ironic
     test: neutron-keystone-test
   oslo_db:
     admin: neutron-db-admin
@@ -2452,30 +2456,34 @@ endpoints:
         user_domain_name: service
         project_domain_name: service
       nova:
+        role: admin,service
         region_name: RegionOne
         project_name: service
-        username: nova
+        username: neutron_nova
         password: password
         user_domain_name: service
         project_domain_name: service
       placement:
+        role: admin,service
         region_name: RegionOne
         project_name: service
-        username: placement
+        username: neutron_placement
         password: password
         user_domain_name: service
         project_domain_name: service
       designate:
+        role: admin,service
         region_name: RegionOne
         project_name: service
-        username: designate
+        username: neutron_designate
         password: password
         user_domain_name: service
         project_domain_name: service
       ironic:
+        role: admin,service
         region_name: RegionOne
         project_name: service
-        username: ironic
+        username: neutron_ironic
         password: password
         user_domain_name: service
         project_domain_name: service

nova/templates/configmap-etc.yaml

@@ -61,22 +61,22 @@ limitations under the License.
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.region_name -}}
-{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
+{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.project_name -}}
-{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.project_domain_name -}}
-{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.user_domain_name -}}
-{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
+{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.username -}}
-{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}}
+{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}}
 {{- end -}}
 {{- if empty .Values.conf.nova.service_user.password -}}
-{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}}
+{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}}
 {{- end -}}
 
 {{- end -}}

nova/templates/job-ks-user.yaml

@@ -18,7 +18,11 @@ helm.sh/hook-weight: "-1"
 {{- end }}
 
 {{- if .Values.manifests.job_ks_user }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
+{{- $serviceUsers := (tuple "nova" "neutron" "placement" "ironic" "cinder") -}}
+{{- if .Values.conf.nova.service_user.send_service_user_token }}
+{{- $serviceUsers = append $serviceUsers "service" -}}
+{{- end }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "nova" "serviceUsers" $serviceUsers -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
 {{- end -}}

nova/templates/secret-keystone.yaml

@@ -14,7 +14,7 @@ limitations under the License.
 
 {{- if .Values.manifests.secret_keystone }}
 {{- $envAll := . }}
-{{- range $key1, $userClass := tuple "admin" "nova" "test" }}
+{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
 ---
 apiVersion: v1

nova/values.yaml

@@ -1641,6 +1641,11 @@ secrets:
   identity:
     admin: nova-keystone-admin
     nova: nova-keystone-user
+    neutron: nova-keystone-neutron
+    placement: nova-keystone-placement
+    cinder: nova-keystone-cinder
+    ironic: nova-keystone-ironic
+    service: nova-keystone-service
     test: nova-keystone-test
   oslo_db:
     admin: nova-db-admin
@@ -1824,30 +1829,40 @@ endpoints:
         project_name: service
         user_domain_name: service
         project_domain_name: service
+      service:
+        role: admin,service
+        region_name: RegionOne
+        username: nova_service_user
+        password: password
+        project_name: service
+        user_domain_name: service
+        project_domain_name: service
       # NOTE(portdirect): the neutron user is not managed by the nova chart
       # these values should match those set in the neutron chart.
       neutron:
+        role: admin,service
         region_name: RegionOne
         project_name: service
         user_domain_name: service
         project_domain_name: service
-        username: neutron
+        username: nova_neutron
         password: password
       # NOTE(portdirect): the ironic user is not managed by the nova chart
       # these values should match those set in the ironic chart.
       ironic:
+        role: admin,service
         auth_type: password
         auth_version: v3
         region_name: RegionOne
         project_name: service
         user_domain_name: service
         project_domain_name: service
-        username: ironic
+        username: nova_ironic
         password: password
       placement:
-        role: admin
+        role: admin,service
         region_name: RegionOne
-        username: placement
+        username: nova_placement
         password: password
         project_name: service
         user_domain_name: service
@@ -1855,7 +1870,7 @@ endpoints:
       cinder:
         role: admin,service
         region_name: RegionOne
-        username: cinder
+        username: nova_cinder
         password: password
         project_name: service
         user_domain_name: service

releasenotes/notes/neutron-2d4db97bc8900286.yaml

@@ -0,0 +1,6 @@
+---
+neutron:
+  - |
+    Create multiple Keystone service accounts to access to
+    other Openstack APIs
+...