openstack/openstack-helm
Code Issues Proposed changes

feat(neutron): split service accounts from the main neutron.conf

Browse Source 
Split out the service account generation from the main nova.conf and
into their own snippets which get mounted into the pods. OSLO reads
these snippets and appends them to loaded configuration. This is a
follow on to the spec [1] which has separate service accounts for
accessing different services. The goal of separating this out is to
allow users to provide these secrets via other means like Vault or
External Secrets.

[1] I12eb9341d5ff633ad4435f4938bf8c946ea388ee

Change-Id: Ifad5b03b2d775e12a269c08edf5403fa99382491
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
This commit is contained in:
Doug Goldstein
2025-07-25 18:01:19 -05:00
parent 80041dfbb5
commit 6f28650a21
19 changed files with 188 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
neutron/templates/configmap-etc.yaml
View File

@@ -31,24 +31,6 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.keystone_authtoken "auth_url" -}}
{{- end }}
{{- if empty .Values.conf.neutron.keystone_authtoken.project_name -}}
{{- $_ := set .Values.conf.neutron.keystone_authtoken "project_name" .Values.endpoints.identity.auth.neutron.project_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.project_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "project_domain_name" $envAll.Values.endpoints.identity.auth.neutron.project_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.user_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "user_domain_name" $envAll.Values.endpoints.identity.auth.neutron.user_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.username -}}
{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "username" $envAll.Values.endpoints.identity.auth.neutron.username -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.password -}}
{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "password" $envAll.Values.endpoints.identity.auth.neutron.password -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.region_name -}}
{{- $_ := set $envAll.Values.conf.neutron.keystone_authtoken "region_name" $envAll.Values.endpoints.identity.auth.neutron.region_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.keystone_authtoken.memcached_servers -}}
{{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.keystone_authtoken "memcached_servers" -}}
@@ -74,47 +56,11 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.nova "auth_url" -}}
{{- end }}
{{- if empty $envAll.Values.conf.neutron.nova.region_name -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.nova.project_name -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.nova.project_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.nova.user_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.nova.username -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.nova.password -}}
{{- $_ := set $envAll.Values.conf.neutron.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.auth_url -}}
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.placement "auth_url" -}}
{{- end }}
{{- if empty $envAll.Values.conf.neutron.placement.region_name -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "region_name" $envAll.Values.endpoints.identity.auth.placement.region_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.project_name -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "project_name" $envAll.Values.endpoints.identity.auth.placement.project_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.project_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "project_domain_name" $envAll.Values.endpoints.identity.auth.placement.project_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.user_domain_name -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "user_domain_name" $envAll.Values.endpoints.identity.auth.placement.user_domain_name -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.username -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "username" $envAll.Values.endpoints.identity.auth.placement.username -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.placement.password -}}
{{- $_ := set $envAll.Values.conf.neutron.placement "password" $envAll.Values.endpoints.identity.auth.placement.password -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.octavia.base_url -}}
{{- $_ := tuple "load_balancer" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.octavia "base_url" -}}
@@ -223,42 +169,12 @@ limitations under the License.
{{/* Designate DNS driver */}}
{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
{{- if empty .Values.conf.neutron.designate.project_name -}}
{{- $_ := set .Values.conf.neutron.designate "project_name" .Values.endpoints.identity.auth.designate.project_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.designate.project_domain_name -}}
{{- $_ := set .Values.conf.neutron.designate "project_domain_name" .Values.endpoints.identity.auth.designate.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.designate.user_domain_name -}}
{{- $_ := set .Values.conf.neutron.designate "user_domain_name" .Values.endpoints.identity.auth.designate.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.designate.username -}}
{{- $_ := set .Values.conf.neutron.designate "username" .Values.endpoints.identity.auth.designate.username -}}
{{- end -}}
{{- if empty .Values.conf.neutron.designate.password -}}
{{- $_ := set .Values.conf.neutron.designate "password" .Values.endpoints.identity.auth.designate.password -}}
{{- end -}}
{{- if empty .Values.conf.neutron.designate.auth_url -}}
{{- $_ := tuple "dns" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.neutron.designate "auth_url" -}}
{{- end -}}
{{- end }}
{{- if (has "baremetal" .Values.network.backend) -}}
{{- if empty .Values.conf.neutron.ironic.project_name -}}
{{- $_ := set .Values.conf.neutron.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.ironic.project_domain_name -}}
{{- $_ := set .Values.conf.neutron.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.ironic.user_domain_name -}}
{{- $_ := set .Values.conf.neutron.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
{{- end -}}
{{- if empty .Values.conf.neutron.ironic.username -}}
{{- $_ := set .Values.conf.neutron.ironic "username" .Values.endpoints.identity.auth.ironic.username -}}
{{- end -}}
{{- if empty .Values.conf.neutron.ironic.password -}}
{{- $_ := set .Values.conf.neutron.ironic "password" .Values.endpoints.identity.auth.ironic.password -}}
{{- end -}}
{{- if empty $envAll.Values.conf.neutron.ironic.auth_url -}}
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.ironic "auth_url" -}}
{{- end }}

8
neutron/templates/cron-job-ovn-db-sync.yaml
View File

@@ -99,6 +99,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if( has "tungstenfabric" .Values.network.backend ) }}
- name: neutron-etc
mountPath: /etc/neutron/plugins/tungstenfabric/tf_plugin.ini
@@ -169,6 +172,11 @@ spec:
secret:
secretName: neutron-etc
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: neutron-plugin-shared
emptyDir: {}

8
neutron/templates/daemonset-bgp-dragent.yaml
View File

@@ -96,6 +96,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -146,6 +149,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: libmodules
hostPath:
path: /lib/modules

11
neutron/templates/daemonset-dhcp-agent.yaml
View File

@@ -128,6 +128,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/dhcp_agent.ini
subPath: dhcp_agent.ini
@@ -202,6 +205,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -279,6 +285,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: iptables-lockfile
hostPath:
path: /run/xtables.lock

8
neutron/templates/daemonset-l2gw-agent.yaml
View File

@@ -128,6 +128,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -153,6 +156,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_l2gw_agent.volumes }}{{ toYaml $mounts_neutron_l2gw_agent.volumes | indent 8 }}{{ end }}
{{- end }}

11
neutron/templates/daemonset-l3-agent.yaml
View File

@@ -120,6 +120,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/metadata_agent.ini
subPath: metadata_agent.ini
@@ -190,6 +193,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -262,6 +268,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: libmodules
hostPath:
path: /lib/modules

11
neutron/templates/daemonset-lb-agent.yaml
View File

@@ -105,6 +105,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
@@ -164,6 +167,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -218,6 +224,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: run
hostPath:
path: /run

11
neutron/templates/daemonset-metadata-agent.yaml
View File

@@ -113,6 +113,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: socket
mountPath: /var/lib/neutron/openstack-helm
containers:
@@ -147,6 +150,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -211,6 +217,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: socket
hostPath:
path: /var/lib/neutron/openstack-helm

8
neutron/templates/daemonset-netns-cleanup-cron.yaml
View File

@@ -87,6 +87,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -148,6 +151,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: libmodules
hostPath:
path: /lib/modules

11
neutron/templates/daemonset-neutron-ovn-vpn-agent.yaml
View File

@@ -115,6 +115,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: socket
mountPath: /var/lib/neutron/openstack-helm
- name: ovn-neutron-init
@@ -164,6 +167,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -235,6 +241,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: socket
hostPath:
path: /var/lib/neutron/openstack-helm

11
neutron/templates/daemonset-ovn-metadata-agent.yaml
View File

@@ -115,6 +115,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: socket
mountPath: /var/lib/neutron/openstack-helm
- name: ovn-neutron-init
@@ -164,6 +167,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -231,6 +237,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: socket
hostPath:
path: /var/lib/neutron/openstack-helm

11
neutron/templates/daemonset-ovs-agent.yaml
View File

@@ -143,6 +143,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
@@ -238,6 +241,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -300,6 +306,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: run
hostPath:
path: /run

11
neutron/templates/daemonset-sriov-agent.yaml
View File

@@ -98,6 +98,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
@@ -172,6 +175,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -238,6 +244,11 @@ spec:
secret:
secretName: {{ $configMapName }}
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
- name: run
hostPath:
path: /run

8
neutron/templates/deployment-ironic-agent.yaml
View File

@@ -104,6 +104,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
@@ -131,6 +134,11 @@ spec:
secret:
secretName: neutron-etc
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_ironic_agent.volumes }}{{ toYaml $mounts_neutron_ironic_agent.volumes | indent 8 }}{{ end }}
{{- end }}

8
neutron/templates/deployment-rpc_server.yaml
View File

@@ -126,6 +126,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron-api-uwsgi.ini
subPath: neutron-api-uwsgi.ini
@@ -218,6 +221,11 @@ spec:
secret:
secretName: neutron-etc
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: neutron-plugin-shared
emptyDir: {}

8
neutron/templates/deployment-server.yaml
View File

@@ -206,6 +206,9 @@ spec:
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
- name: neutron-etc-snippets
mountPath: /etc/neutron/neutron.conf.d/
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron-api-uwsgi.ini
subPath: neutron-api-uwsgi.ini
@@ -298,6 +301,11 @@ spec:
secret:
secretName: neutron-etc
defaultMode: 0444
- name: neutron-etc-snippets
projected:
sources:
- secret:
name: neutron-ks-etc
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
- name: neutron-plugin-shared
emptyDir: {}

35
neutron/templates/secret-ks-etc.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ks_etc }}
{{- $envAll := . -}}
{{/* the endpoints.identity.auth sections with the oslo conf sections they get rendered to */}}
{{- $ksUsers := dict
"neutron" "keystone_authtoken"
"nova" "nova"
"placement" "placement"
-}}
{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
{{- $_ := set $ksUsers "designate" "designate" -}}
{{- end -}}
{{- if (has "baremetal" .Values.network.backend) -}}
{{- $_ := set $ksUsers "ironic" "ironic" -}}
{{- end -}}
{{ dict
"envAll" $envAll
"serviceName" "neutron"
"serviceUserSections" $ksUsers
| include "helm-toolkit.manifests.secret_ks_etc"
}}
{{- end }}

1
neutron/values.yaml
View File

@@ -2711,6 +2711,7 @@ manifests:
secret_db: true
secret_ingress_tls: true
secret_keystone: true
secret_ks_etc: true
secret_rabbitmq: true
secret_registry: true
service_ingress_server: true

8
releasenotes/notes/neutron-670d4cd96f100dea.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
features:
- |
Split out the OpenStack service account definitions from neutron.conf and into
config snippets which are loaded at /etc/neutron/neutron.d/, which is automatically
loaded by OSLO when loading the main neutron.conf. This makes it easier for users
to use the regular config generation while supplying credentials out of band.
...