feat: use mariadb operator for OpenStack db secrets

Generate and inject the database connection info via a secret generated
by the MariaDB operator to create a connection string that matches what
oslo.config reads.

Unfortunately OpenStack Helm doesn't always respect the mount for the
db_sync job so this won't work until that's fixed upstream and we bump
to releases with those fixes for all the services.

Author: cardoe

components/glance/glance-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: glance-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: glance
+  passwordSecretKeyRef:
+    name: glance-db-password
+    key: password
+  database: glance
+  secretName: glance-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/glance/values.yaml

@@ -89,6 +89,38 @@ pod:
             periodSeconds: 10
             timeoutSeconds: 8
             failureThreshold: 6
+  mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    glance_api:
+      glance_api:
+        volumeMounts:
+          - mountPath: /etc/glance/glance.conf.d/db_conn.conf
+            name: glance-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: glance-db-conn
+            secret:
+              secretName: glance-db-conn
+    glance_db_sync:
+      glance_db_sync:
+        volumeMounts:
+          - mountPath: /etc/glance/glance.conf.d/db_conn.conf
+            name: glance-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: glance-db-conn
+            secret:
+              secretName: glance-db-conn
 
 conf:
   glance_api_uwsgi:

components/horizon/horizon-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: horizon-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: horizon
+  passwordSecretKeyRef:
+    name: horizon-db-password
+    key: password
+  database: horizon
+  secretName: horizon-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/horizon/values.yaml

@@ -76,6 +76,38 @@ pod:
         # this should be set to no more than (pod.replicas.horizon - 1)
         # usually set on per-deployment basis.
         min_available: 0
+  mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    horizon:
+      horizon:
+        volumeMounts:
+          - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf
+            name: horizon-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: horizon-db-conn
+            secret:
+              secretName: horizon-db-conn
+    horizon_db_sync:
+      horizon_db_sync:
+        volumeMounts:
+          - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf
+            name: horizon-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: horizon-db-conn
+            secret:
+              secretName: horizon-db-conn
 
 # We don't want to enable OpenStack Helm's
 # helm.sh/hooks because they set them as

components/ironic/ironic-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: ironic-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: ironic
+  passwordSecretKeyRef:
+    name: ironic-db-password
+    key: password
+  database: ironic
+  secretName: ironic-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/ironic/values.yaml

@@ -169,16 +169,54 @@ manifests:
 
 pod:
   mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    ironic_api:
+      ironic_api:
+        volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
+    ironic_db_sync:
+      ironic_db_sync:
+        volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
     ironic_conductor:
       ironic_conductor:
         volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
           - name: dnsmasq-ironic
             mountPath: /etc/dnsmasq.d/
           - name: dnsmasq-dhcp
             mountPath: /var/lib/dnsmasq/
           - name: understack-data
             mountPath: /var/lib/understack
         volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
           - name: dnsmasq-ironic
             persistentVolumeClaim:
               claimName: dnsmasq-ironic

components/keystone/keystone-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: keystone-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: keystone
+  passwordSecretKeyRef:
+    name: keystone-db-password
+    key: password
+  database: keystone
+  secretName: keystone-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/keystone/values.yaml

@@ -225,19 +225,103 @@ pod:
     keystone_api:
       keystone_api:
         volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
           - name: keystone-sso
             mountPath: /etc/keystone-sso
             readOnly: true
           - name: oidc-secret
             mountPath: /etc/oidc-secret
             readOnly: true
         volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
           - name: keystone-sso
             secret:
               secretName: keystone-sso
           - name: oidc-secret
             secret:
               secretName: sso-passphrase
+    keystone_db_sync:
+      keystone_db_sync:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_credential_setup:
+      keystone_credential_setup:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_fernet_setup:
+      keystone_fernet_setup:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_credential_rotate:
+      keystone_credential_rotate:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_fernet_rotate:
+      keystone_fernet_rotate:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_credential_cleanup:
+      keystone_credential_cleanup:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
+    keystone_domain_manage:
+      keystone_domain_manage:
+        volumeMounts:
+          - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf
+            name: keystone-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: keystone-db-conn
+            secret:
+              secretName: keystone-db-conn
   replicas:
     api: 2
   lifecycle:

components/neutron/neutron-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: neutron-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: neutron
+  passwordSecretKeyRef:
+    name: neutron-db-password
+    key: password
+  database: neutron
+  secretName: neutron-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb