Skip to content

Commit c589b44

Browse files
cardoecardoe
committed
feat(openstack): mount the keystone secrets config snippets
The change to mount these has not landed in all upstream charts and we've also not updated to the charts that have this change across the board. So for now include it in all of our configs until this change can make its way upstream.
1 parent 2114a6c commit c589b44

File tree

7 files changed

+341
-30
lines changed

7 files changed

+341
-30
lines changed

components/cinder/values.yaml

Lines changed: 84 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -62,16 +62,94 @@ pod:
6262
volumeMounts:
6363
- mountPath: /var/lib/cinder
6464
name: var-lib-cinder
65-
- mountPath: /etc/cinder/cinder.conf.d/netapp_nvme.conf
66-
subPath: netapp_nvme.conf
67-
name: volume-backend
65+
- name: cinder-etc-snippets
66+
mountPath: /etc/cinder/cinder.conf.d/
6867
readOnly: true
6968
volumes:
7069
- name: var-lib-cinder
7170
emptyDir: {}
72-
- name: volume-backend
73-
secret:
74-
secretName: cinder-netapp-config
71+
- name: cinder-etc-snippets
72+
projected:
73+
sources:
74+
- secret:
75+
name: cinder-ks-etc
76+
- secret:
77+
name: volume-backend
78+
items:
79+
- key: netapp_nvme.conf
80+
path: netapp_nvme.conf
81+
cinder_volume_usage_audit:
82+
cinder_volume_usage_audit:
83+
volumeMounts:
84+
- name: cinder-etc-snippets
85+
mountPath: /etc/cinder/cinder.conf.d/
86+
readOnly: true
87+
volumes:
88+
- name: cinder-etc-snippets
89+
projected:
90+
sources:
91+
- secret:
92+
name: cinder-ks-etc
93+
cinder_db_sync:
94+
cinder_db_sync:
95+
volumeMounts:
96+
- name: cinder-etc-snippets
97+
mountPath: /etc/cinder/cinder.conf.d/
98+
readOnly: true
99+
volumes:
100+
- name: cinder-etc-snippets
101+
projected:
102+
sources:
103+
- secret:
104+
name: cinder-ks-etc
105+
cinder_backup:
106+
cinder_backup:
107+
volumeMounts:
108+
- name: cinder-etc-snippets
109+
mountPath: /etc/cinder/cinder.conf.d/
110+
readOnly: true
111+
volumes:
112+
- name: cinder-etc-snippets
113+
projected:
114+
sources:
115+
- secret:
116+
name: cinder-ks-etc
117+
cinder_scheduler:
118+
cinder_scheduler:
119+
volumeMounts:
120+
- name: cinder-etc-snippets
121+
mountPath: /etc/cinder/cinder.conf.d/
122+
readOnly: true
123+
volumes:
124+
- name: cinder-etc-snippets
125+
projected:
126+
sources:
127+
- secret:
128+
name: cinder-ks-etc
129+
cinder_db_purge:
130+
cinder_db_purge:
131+
volumeMounts:
132+
- name: cinder-etc-snippets
133+
mountPath: /etc/cinder/cinder.conf.d/
134+
readOnly: true
135+
volumes:
136+
- name: cinder-etc-snippets
137+
projected:
138+
sources:
139+
- secret:
140+
name: cinder-ks-etc
141+
cinder_api:
142+
cinder_api:
143+
volumeMounts:
144+
- name: cinder-etc-snippets
145+
mountPath: /etc/cinder/cinder.conf.d/
146+
readOnly: true
147+
volumes:
148+
- name: cinder-etc-snippets
149+
projected:
150+
sources:
151+
- secret:
152+
name: cinder-ks-etc
75153
lifecycle:
76154
disruption_budget:
77155
deployments:

components/glance/values.yaml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,31 @@ dependencies:
6565
- glance-ks-endpoints
6666

6767
pod:
68+
mounts:
69+
glance_db_sync:
70+
glance_db_sync:
71+
volumeMounts:
72+
- name: glance-etc-snippets
73+
mountPath: /etc/glance/glance.conf.d/
74+
readOnly: true
75+
volumes:
76+
- name: glance-etc-snippets
77+
projected:
78+
sources:
79+
- secret:
80+
name: glance-ks-etc
81+
glance_api:
82+
glance_api:
83+
volumeMounts:
84+
- name: glance-etc-snippets
85+
mountPath: /etc/glance/glance.conf.d/
86+
readOnly: true
87+
volumes:
88+
- name: glance-etc-snippets
89+
projected:
90+
sources:
91+
- secret:
92+
name: glance-ks-etc
6893
lifecycle:
6994
disruption_budget:
7095
api:

components/neutron/values.yaml

Lines changed: 48 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -99,41 +99,65 @@ conf:
9999

100100
# disable the neutron-ironic-agent from loading a non-existent config
101101
pod:
102-
use_fqdn:
103-
neutron_agent: false
104-
lifecycle:
105-
disruption_budget:
106-
server:
107-
# this should be set to no more than (pod.replicas.server - 1)
108-
# usually set on per-deployment basis.
109-
min_available: 0
110102
mounts:
103+
neutron_db_sync:
104+
neutron_db_sync:
105+
volumeMounts:
106+
# this is upstream but since we're making a list it gets replaced
107+
- name: db-sync-conf
108+
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
109+
subPath: ml2_conf.ini
110+
readOnly: true
111+
- name: neutron-etc-snippets
112+
mountPath: /etc/neutron/neutron.conf.d/
113+
readOnly: true
114+
volumes:
115+
- name: neutron-etc-snippets
116+
projected:
117+
sources:
118+
- secret:
119+
name: neutron-ks-etc
120+
neutron_ironic_agent:
121+
neutron_ironic_agent:
122+
volumeMounts:
123+
- name: neutron-etc-snippets
124+
mountPath: /etc/neutron/neutron.conf.d/
125+
readOnly: true
126+
volumes:
127+
- name: neutron-etc-snippets
128+
projected:
129+
sources:
130+
- secret:
131+
name: neutron-ks-etc
111132
neutron_server:
112133
neutron_server:
113134
volumeMounts:
114-
# oslo.config autoloads certain paths in alphabetical order
115-
# which gives us the opportunity to inject secrets and extra
116-
# configs here. likely the best paths are:
117-
# /etc/${project}/${prog}.conf.d/*.conf
118-
# /etc/${project}/${project}.conf.d/*.conf
119-
# the first would be best for per service separation but since each
120-
# service is in its own pod they won't overlap. further more there
121-
# is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
122-
# so we'll use the bottom one
123-
- mountPath: /etc/neutron/neutron.conf.d/ml2_understack.conf
124-
name: neutron-nautobot
125-
subPath: ml2_understack.conf
126-
readOnly: true
127135
- mountPath: /etc/undersync/
128136
name: undersync-token
129137
readOnly: true
138+
- name: neutron-etc-snippets
139+
mountPath: /etc/neutron/neutron.conf.d/
140+
readOnly: true
130141
volumes:
131-
- name: neutron-nautobot
132-
secret:
133-
secretName: neutron-nautobot
134142
- name: undersync-token
135143
secret:
136144
secretName: undersync-token
145+
- name: neutron-etc-snippets
146+
projected:
147+
sources:
148+
- secret:
149+
name: neutron-ks-etc
150+
- secret:
151+
name: neutron-nautobot
152+
153+
use_fqdn:
154+
neutron_agent: false
155+
lifecycle:
156+
disruption_budget:
157+
server:
158+
# this should be set to no more than (pod.replicas.server - 1)
159+
# usually set on per-deployment basis.
160+
min_available: 0
137161
resources:
138162
enabled: true
139163

components/nova/values.yaml

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,79 @@ dependencies:
148148
- nova-db-sync
149149

150150
pod:
151+
mounts:
152+
nova_db_sync:
153+
nova_db_sync:
154+
volumeMounts:
155+
- name: nova-etc-snippets
156+
mountPath: /etc/nova/nova.conf.d/
157+
readOnly: true
158+
volumes:
159+
- name: nova-etc-snippets
160+
projected:
161+
sources:
162+
- secret:
163+
name: nova-ks-etc
164+
nova_api_osapi:
165+
nova_api_osapi:
166+
volumeMounts:
167+
- name: nova-etc-snippets
168+
mountPath: /etc/nova/nova.conf.d/
169+
readOnly: true
170+
volumes:
171+
- name: nova-etc-snippets
172+
projected:
173+
sources:
174+
- secret:
175+
name: nova-ks-etc
176+
nova_api_metadata:
177+
nova_api_metadata:
178+
volumeMounts:
179+
- name: nova-etc-snippets
180+
mountPath: /etc/nova/nova.conf.d/
181+
readOnly: true
182+
volumes:
183+
- name: nova-etc-snippets
184+
projected:
185+
sources:
186+
- secret:
187+
name: nova-ks-etc
188+
nova_compute_ironic:
189+
nova_compute_ironic:
190+
volumeMounts:
191+
- name: nova-etc-snippets
192+
mountPath: /etc/nova/nova.conf.d/
193+
readOnly: true
194+
volumes:
195+
- name: nova-etc-snippets
196+
projected:
197+
sources:
198+
- secret:
199+
name: nova-ks-etc
200+
nova_scheduler:
201+
nova_scheduler:
202+
volumeMounts:
203+
- name: nova-etc-snippets
204+
mountPath: /etc/nova/nova.conf.d/
205+
readOnly: true
206+
volumes:
207+
- name: nova-etc-snippets
208+
projected:
209+
sources:
210+
- secret:
211+
name: nova-ks-etc
212+
nova_conductor:
213+
nova_conductor:
214+
volumeMounts:
215+
- name: nova-etc-snippets
216+
mountPath: /etc/nova/nova.conf.d/
217+
readOnly: true
218+
volumes:
219+
- name: nova-etc-snippets
220+
projected:
221+
sources:
222+
- secret:
223+
name: nova-ks-etc
151224
lifecycle:
152225
disruption_budget:
153226
osapi:

components/octavia/values.yaml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,67 @@ dependencies:
8383
jobs:
8484

8585
pod:
86+
mounts:
87+
octavia_db_sync:
88+
octavia_db_sync:
89+
volumeMounts:
90+
- name: octavia-etc-snippets
91+
mountPath: /etc/octavia/octavia.conf.d/
92+
readOnly: true
93+
volumes:
94+
- name: octavia-etc-snippets
95+
projected:
96+
sources:
97+
- secret:
98+
name: octavia-ks-etc
99+
octavia_driver_agent:
100+
octavia_driver_agent:
101+
volumeMounts:
102+
- name: octavia-etc-snippets
103+
mountPath: /etc/octavia/octavia.conf.d/
104+
readOnly: true
105+
volumes:
106+
- name: octavia-etc-snippets
107+
projected:
108+
sources:
109+
- secret:
110+
name: octavia-ks-etc
111+
octavia_api:
112+
octavia_api:
113+
volumeMounts:
114+
- name: octavia-etc-snippets
115+
mountPath: /etc/octavia/octavia.conf.d/
116+
readOnly: true
117+
volumes:
118+
- name: octavia-etc-snippets
119+
projected:
120+
sources:
121+
- secret:
122+
name: octavia-ks-etc
123+
octavia_housekeeping:
124+
octavia_housekeeping:
125+
volumeMounts:
126+
- name: octavia-etc-snippets
127+
mountPath: /etc/octavia/octavia.conf.d/
128+
readOnly: true
129+
volumes:
130+
- name: octavia-etc-snippets
131+
projected:
132+
sources:
133+
- secret:
134+
name: octavia-ks-etc
135+
octavia_health_manager:
136+
octavia_health_manager:
137+
volumeMounts:
138+
- name: octavia-etc-snippets
139+
mountPath: /etc/octavia/octavia.conf.d/
140+
readOnly: true
141+
volumes:
142+
- name: octavia-etc-snippets
143+
projected:
144+
sources:
145+
- secret:
146+
name: octavia-ks-etc
86147
resources:
87148
enabled: true
88149

0 commit comments

Comments
 (0)