Merge pull request #1235 from rackerlabs/openstack-service-users

feat(openstack): share service acct credentials via ESO

Author: cardoe

components/cinder/configmap-cinder-bin.yaml

@@ -6,3 +6,7 @@ resources:
   - cinder-mariadb-db.yaml
   - cinder-rabbitmq-queue.yaml
   - cinder-volume-netapp.yaml
+  # less than ideal addition but necessary so that we can have the cinder.conf.d loading
+  # working due to the way the chart hardcodes the config-file parameter which then
+  # takes precedence over the directory
+  - configmap-cinder-bin.yaml

components/cinder/kustomization.yaml

@@ -62,16 +62,94 @@ pod:
         volumeMounts:
           - mountPath: /var/lib/cinder
             name: var-lib-cinder
-          - mountPath: /etc/cinder/cinder.conf.d/netapp_nvme.conf
-            subPath: netapp_nvme.conf
-            name: volume-backend
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
             readOnly: true
         volumes:
           - name: var-lib-cinder
             emptyDir: {}
-          - name: volume-backend
-            secret:
-              secretName: cinder-netapp-config
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+                - secret:
+                    name: volume-backend
+                    items:
+                      - key: netapp_nvme.conf
+                        path: netapp_nvme.conf
+    cinder_volume_usage_audit:
+      cinder_volume_usage_audit:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+    cinder_db_sync:
+      cinder_db_sync:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+    cinder_backup:
+      cinder_backup:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+    cinder_scheduler:
+      cinder_scheduler:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+    cinder_db_purge:
+      cinder_db_purge:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
+    cinder_api:
+      cinder_api:
+        volumeMounts:
+          - name: cinder-etc-snippets
+            mountPath: /etc/cinder/cinder.conf.d/
+            readOnly: true
+        volumes:
+          - name: cinder-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: cinder-ks-etc
   lifecycle:
     disruption_budget:
       deployments:
@@ -126,7 +204,6 @@ dependencies:
         - cinder-ks-endpoints
 
 manifests:
-  secret_keystone: true
   job_backup_storage_init: false
   job_bootstrap: false
   job_clean: false
@@ -141,6 +218,16 @@ manifests:
   secret_registry: false
   service_ingress_api: false
   deployment_backup: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
+  # less than ideal but currently necessary due to the way the chart
+  # hardcodes the config-file flag which then causes oslo.config to prefer
+  # that data over the directory which we want to override
+  configmap_bin: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm

components/cinder/values.yaml

@@ -65,6 +65,31 @@ dependencies:
         - glance-ks-endpoints
 
 pod:
+  mounts:
+    glance_db_sync:
+      glance_db_sync:
+        volumeMounts:
+          - name: glance-etc-snippets
+            mountPath: /etc/glance/glance.conf.d/
+            readOnly: true
+        volumes:
+          - name: glance-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: glance-ks-etc
+    glance_api:
+      glance_api:
+        volumeMounts:
+          - name: glance-etc-snippets
+            mountPath: /etc/glance/glance.conf.d/
+            readOnly: true
+        volumes:
+          - name: glance-etc-snippets
+            projected:
+              sources:
+                - secret:
+                    name: glance-ks-etc
   lifecycle:
     disruption_budget:
       api:
@@ -109,8 +134,13 @@ manifests:
   job_image_repo_sync: false
   pod_rally_test: false
   secret_db: false
-  secret_keystone: true
   service_ingress_api: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm

components/glance/values.yaml

@@ -192,6 +192,12 @@ manifests:
   secret_rabbitmq: false
   secret_registry: false
   service_ingress_api: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 pod:
   mounts:

components/ironic/values.yaml

@@ -304,11 +304,16 @@ manifests:
   job_rabbit_init: false
   pod_rally_test: false
   secret_db: false
-  secret_keystone: true
   service_ingress_api: false
   # these next two we create ourselves to avoid helm hooks issues
   secret_credential_keys: false
   secret_fernet_keys: false
+  # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
+  # Kubernetes section generation in OpenStack Helm, because we want those
+  # to be generated indirectly via ESO as configured in keystoneServiceUsers.enabled
+  # that is later consumed via components/openstack helm chart
+  secret_keystone: false
+  secret_ks_etc: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm