rackerlabs
diff --git a/‎components/cinder/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/cinder/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/glance/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/glance/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/ironic/values.yaml‎
Lines changed: 6 additions & 0 deletions b/‎components/ironic/values.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎components/keystone/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/keystone/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/neutron/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/neutron/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/nova/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/nova/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/octavia/values.yaml‎
Lines changed: 6 additions & 1 deletion b/‎components/octavia/values.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎components/openstack/templates/keystone-service-user.yaml.tpl‎
Lines changed: 83 additions & 0 deletions b/‎components/openstack/templates/keystone-service-user.yaml.tpl‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎components/openstack/templates/secretstore-openstack.yaml.tpl‎
Lines changed: 12 additions & 3 deletions b/‎components/openstack/templates/secretstore-openstack.yaml.tpl‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎components/openstack/values.schema.json‎
Lines changed: 92 additions & 0 deletions b/‎components/openstack/values.schema.json‎
Lines changed: 92 additions & 0 deletions
@@ -126,7 +126,6 @@ dependencies:
         - cinder-ks-endpoints
 
 manifests:
-  secret_keystone: true
   job_backup_storage_init: false
   job_bootstrap: false
   job_clean: false
@@ -141,6 +140,12 @@ manifests:
   secret_registry: false
   service_ingress_api: false
   deployment_backup: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -109,8 +109,13 @@ manifests:
   job_image_repo_sync: false
   pod_rally_test: false
   secret_db: false
-  secret_keystone: true
   service_ingress_api: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -192,6 +192,12 @@ manifests:
   secret_rabbitmq: false
   secret_registry: false
   service_ingress_api: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 pod:
   mounts:
 
@@ -304,11 +304,16 @@ manifests:
   job_rabbit_init: false
   pod_rally_test: false
   secret_db: false
-  secret_keystone: true
   service_ingress_api: false
   # these next two we create ourselves to avoid helm hooks issues
   secret_credential_keys: false
   secret_fernet_keys: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -175,7 +175,6 @@ manifests:
   job_rabbit_init: false
   pod_rally_test: false
   secret_db: false
-  secret_keystone: true
   # OVN has its own pieces and does not need the following:
   # - neutron-dhcp-agent (OVN's does not work with baremetal/ironic currently)
   # - neutron-l3-agent
@@ -197,6 +196,12 @@ manifests:
   daemonset_netns_cleanup_cron: false
   deployment_ironic_agent: true
   service_ingress_server: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -165,11 +165,16 @@ manifests:
   secret_db_api: true
   secret_db_cell0: true
   secret_db: true
-  secret_keystone: true
   service_ingress_metadata: false
   service_ingress_osapi: false
   daemonset_compute: false
   statefulset_compute_ironic: true
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -91,8 +91,13 @@ manifests:
   job_rabbit_init: false
   pod_rally_test: false
   secret_db: true
-  secret_keystone: true
   service_ingress_api: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm
 
@@ -0,0 +1,83 @@
+{{- if .Values.keystoneServiceUsers.enabled }}
+{{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
+{{- range $_, $user := $users }}
+{{/* special override for the admin user since its in the bootstrap domain of default */}}
+{{- $user_domain_name := eq $user.usage "admin" | ternary "default" "service" }}
+{{- $project_domain_name := eq $user.usage "admin" | ternary "default" ( default "service" $user.project_domain_name ) }}
+{{- $project_name := eq $user.usage "admin" | ternary "admin" ( default "service" $user.project_name ) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ (printf "%s-keystone-%s" $serviceName $user.usage) | quote }}
+{{- if $.Values.keystoneServiceUsers.externalLinkAnnotationTemplate }}
+  annotations:
+    link.argocd.argoproj.io/external-link: {{ tpl $.Values.keystoneServiceUsers.externalLinkAnnotationTemplate (dict "remoteRef" $user.remoteRef) | quote }}
+{{- end }}
+spec:
+  refreshInterval: {{ $.Values.externalSecretsRefreshInterval | default "1h" }}
+  secretStoreRef:
+    kind: {{ $.Values.keystoneServiceUsers.secretStore.kind | quote }}
+    name: {{ $.Values.keystoneServiceUsers.secretStore.name | quote }}
+  target:
+    name: {{ (printf "%s-keystone-%s" $serviceName $user.usage) | quote }}
+    template:
+      engineVersion: v2
+      data:
+        OS_AUTH_URL: {{ $.Values.keystoneUrl | quote }}
+        OS_DEFAULT_DOMAIN: 'default'
+        OS_INTERFACE: {{ $.Values.keystoneServiceUsers.keystoneInterface | quote }}
+        OS_PROJECT_DOMAIN_NAME: {{ $project_domain_name | quote }}
+        OS_PROJECT_NAME: {{ $project_name | quote }}
+        OS_USER_DOMAIN_NAME: {{ $user_domain_name | quote }}
+        OS_USERNAME: {{ `{{ .username }}` | quote }}
+        OS_PASSWORD: {{ `{{ .password }}` | quote }}
+        OS_REGION_NAME: {{ $.Values.regionName | quote }}
+  dataFrom:
+  - extract:
+      key: {{ $user.remoteRef | quote }}
+{{- end }}
+{{- end }}
+{{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
+{{- if not (eq $serviceName "keystone") }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ (printf "%s-ks-etc" $serviceName) | quote }}
+spec:
+  refreshInterval: {{ $.Values.externalSecretsRefreshInterval | default "1h" }}
+  secretStoreRef:
+    kind: {{ $.Values.keystoneServiceUsers.secretStore.kind | quote }}
+    name: {{ $.Values.keystoneServiceUsers.secretStore.name | quote }}
+  target:
+    name: {{ (printf "%s-ks-etc" $serviceName) | quote }}
+    template:
+      engineVersion: v2
+      data:
+        {{ (printf "%s_auth.conf" $serviceName) | quote }}: |
+        {{- range $_, $user := $users }}
+        {{- $section := $user.section | default $user.usage }}
+        {{- $section := eq $section "user" | ternary "keystone_authtoken" $section -}}
+        {{- $shouldSkip := or (eq $user.usage "test") (eq $user.usage "admin") }}
+        {{- if not $shouldSkip }}
+          [{{ $section }}]
+          username={{ printf "{{ (fromJson .%s).username }}" $user.usage }}
+          password={{ printf "{{ (fromJson .%s).password }}" $user.usage }}
+          region_name={{ $.Values.regionName | quote }}
+        {{- end }}
+        {{- end }}
+  data:
+  {{/* default section name is the usage field */}}
+  {{/* usage test and admin are special in OpenStack Helm and not added to the config file */}}
+  {{- range $_, $user := $users -}}
+  {{- $shouldSkip := or (eq $user.usage "test") (eq $user.usage "admin") -}}
+  {{- if not $shouldSkip }}
+    - secretKey: {{ $user.usage }}
+      remoteRef:
+        key: {{ $user.remoteRef | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -15,7 +15,7 @@ type: kubernetes.io/service-account-token
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: eso-openstack-role
+  name: eso-openstack
 rules:
 - apiGroups: [""]
   resources:
@@ -28,6 +28,15 @@ rules:
   - svc-acct-argoworkflow
   - svc-acct-netapp
   - cinder-netapp-config
+  - admin-keystone-password
+  - cinder-keystone-password
+  - glance-keystone-password
+  - ironic-keystone-password
+  - neutron-keystone-password
+  - nova-keystone-password
+  - octavia-keystone-password
+  - placement-keystone-password
+  - skyline-keystone-password
 - apiGroups:
   - authorization.k8s.io
   resources:
@@ -38,11 +47,11 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: eso-openstack-rolebinding
+  name: eso-openstack
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: eso-openstack-role
+  name: eso-openstack
 subjects:
 - kind: ServiceAccount
   name: eso-openstack
 
@@ -4,6 +4,21 @@
   "description": "Schema for OpenStack component values.yaml configuration",
   "type": "object",
   "properties": {
+    "regionName": {
+      "type": "string",
+      "description": "OpenStack region that this deployment corresponds to"
+    },
+    "keystoneUrl": {
+      "type": "string",
+      "default": "http://keystone-api.openstack.svc.cluster.local:5000/v3",
+      "description": "Keystone API URL for OpenStack authentication"
+    },
+    "externalSecretsRefreshInterval": {
+      "type": "string",
+      "pattern": "^[0-9]+(s|m|h|d)",
+      "default": "1h",
+      "description": "How often External Secrets Operator refreshes each secret"
+    },
     "mariadb": {
       "type": "object",
       "description": "OpenStack mariadb instance settings",
@@ -104,6 +119,82 @@
       },
       "additionalProperties": false
     },
+    "keystoneServiceUsers": {
+      "type": "object",
+      "description": "OpenStack service users for OpenStack Helm charts",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enables or disables loading OpenStack service users via External Secrets Operator"
+        },
+        "secretStore": {
+          "type": "object",
+          "description": "External Secrets Operator Secret Store configuration",
+          "properties": {
+            "kind": {
+              "type": "string",
+              "enum": ["ClusterSecretStore", "SecretStore"],
+              "description": "Type of secret store - ClusterSecretStore or SecretStore for namespaced"
+            },
+            "name": {
+              "type": "string",
+              "description": "Name of the ClusterSecretStore or SecretStore to use"
+            }
+          },
+          "required": ["kind", "name"],
+          "additionalProperties": false
+        },
+        "externalLinkAnnotationTemplate": {
+          "type": "string",
+          "description": "Optional template for external link annotations on ExternalSecret resources"
+        },
+        "keystoneInterface": {
+          "type": "string",
+          "default": "internal",
+          "description": "OpenStack service catalog interface to use"
+        },
+        "services": {
+          "type": "object",
+          "description": "Service users organized by service name",
+          "patternProperties": {
+            "^[a-zA-Z0-9_-]+$": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "usage": {
+                    "type": "string",
+                    "description": "Usage identifier for the service user"
+                  },
+                  "remoteRef": {
+                    "type": "string",
+                    "description": "Credential identifier"
+                  },
+                  "section": {
+                    "type": "string",
+                    "description": "Configuration section name"
+                  },
+                  "project_domain_name": {
+                    "type": "string",
+                    "description": "Domain name where this service account will access a project"
+                  },
+                  "project_name": {
+                    "type": "string",
+                    "description": "Project name that this service account will access"
+                  }
+                },
+                "required": [
+                  "usage",
+                  "remoteRef"
+                ],
+                "additionalProperties": false
+              }
+            }
+          }
+        }
+      },
+      "additionalProperties": false
+    },
     "extraObjects": {
       "type": "array",
       "description": "Array of extra Kubernetes manifests to deploy",
@@ -140,5 +231,6 @@
       }
     }
   },
+  "required": ["regionName"],
   "additionalProperties": false
 }