Merge pull request #1193 from rackerlabs/avoid-fernet-key-reset

fix(keystone): avoid resetting keys on each deploy

Author: cardoe

components/keystone/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - secret-keystone-keys.yaml
   - keystone-mariadb-db.yaml
   - keystone-rabbitmq-queue.yaml
   - external-secret-keystone-sso.yaml

components/keystone/secret-keystone-keys.yaml

@@ -0,0 +1,17 @@
+# Explicitly define this secret as empty so that OpenStack Helm does not
+# create it for us because it will put helm hook annotations on the one
+# it generates. This causes the secret to get re-generated by subsequent
+# helm runs. Specifically ArgoCD cleans up anything with a helm hook
+# before applying the chart again. We do not want this to go away and
+# instead allow other jobs to update it so it should persist.
+# TODO: remove after https://review.opendev.org/c/openstack/openstack-helm/+/959251 is released.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-fernet-keys
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-credential-keys

components/keystone/values.yaml

@@ -306,6 +306,9 @@ manifests:
   secret_db: false
   secret_keystone: true
   service_ingress_api: false
+  # these next two we create ourselves to avoid helm hooks issues
+  secret_credential_keys: false
+  secret_fernet_keys: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm