From 76f7d6dc274c6a6db5df8a27acf01ff6d0531c7d Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Tue, 1 Jul 2025 11:03:38 -0500 Subject: [PATCH] [nova]: split service accounts from the main nova.conf Split out the service account generation from the main nova.conf and into their own snippets which get mounted into the pods. OSLO reads these snippets and appends them to loaded configuration. This is a follow on to the spec [1] which has separate service accounts for accessing different services. The goal of separating this out is to allow users to provide these secrets via other means like Vault or External Secrets. [1] I12eb9341d5ff633ad4435f4938bf8c946ea388ee Change-Id: Ic05ed2886ce446803975124b755cbabe010680b6 Signed-off-by: Doug Goldstein --- .../manifests/_secret-ks-etc.yaml.tpl | 43 +++++++ nova/templates/configmap-etc.yaml | 112 ------------------ .../cron-job-archive-deleted-rows.yaml | 8 ++ nova/templates/cron-job-service-cleaner.yaml | 8 ++ nova/templates/daemonset-compute.yaml | 8 ++ nova/templates/deployment-api-metadata.yaml | 11 ++ nova/templates/deployment-api-osapi.yaml | 8 ++ nova/templates/deployment-conductor.yaml | 8 ++ nova/templates/deployment-novncproxy.yaml | 11 ++ nova/templates/deployment-scheduler.yaml | 8 ++ nova/templates/deployment-serialproxy.yaml | 11 ++ nova/templates/deployment-spiceproxy.yaml | 8 ++ nova/templates/job-cell-setup.yaml | 8 ++ nova/templates/job-nova-storage-init.yaml | 2 +- nova/templates/secret-ks-etc.yaml | 34 ++++++ .../templates/statefulset-compute-ironic.yaml | 8 ++ nova/values.yaml | 1 + releasenotes/notes/nova-476f40003a31bc77.yaml | 8 ++ 18 files changed, 192 insertions(+), 113 deletions(-) create mode 100644 helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl create mode 100644 nova/templates/secret-ks-etc.yaml create mode 100644 releasenotes/notes/nova-476f40003a31bc77.yaml diff --git a/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl b/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl new file mode 100644 index 0000000000..d93c6a212e --- /dev/null +++ b/helm-toolkit/templates/manifests/_secret-ks-etc.yaml.tpl @@ -0,0 +1,43 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.manifests.secret_ks_etc" -}} +{{- $envAll := index . "envAll" -}} +{{- $serviceName := index . "serviceName" -}} +{{- $serviceUserSections := index . "serviceUserSections" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-ks-etc" $serviceNamePretty | quote }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} +{{ tuple "ks_etc" $serviceName $envAll | include "helm-toolkit.snippets.custom_secret_annotations" | indent 4 }} +type: Opaque +data: +{{- range $epName, $sectionName := $serviceUserSections }} +{{- $epAuth := index $envAll.Values.endpoints.identity.auth $epName -}} +{{- $configSection := dict + "region_name" $epAuth.region_name + "project_name" $epAuth.project_name + "project_domain_name" $epAuth.project_domain_name + "user_domain_name" $epAuth.user_domain_name + "username" $epAuth.username + "password" $epAuth.password +-}} +{{- $configSnippet := dict $sectionName $configSection }} +{{ printf "%s_%s.conf" $serviceName $sectionName | indent 2 }}: {{ include "helm-toolkit.utils.to_oslo_conf" $configSnippet | b64enc }} +{{- end }} +{{- end -}} diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 41fa28c5c9..75b8523f7d 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -29,25 +29,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.region_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "region_name" .Values.endpoints.identity.auth.nova.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.project_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "project_name" .Values.endpoints.identity.auth.nova.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.project_domain_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.user_domain_name -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.username -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "username" .Values.endpoints.identity.auth.nova.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.keystone_authtoken.password -}} -{{- $_ := set .Values.conf.nova.keystone_authtoken "password" .Values.endpoints.identity.auth.nova.password -}} -{{- end -}} - {{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}} {{- end -}} @@ -60,24 +41,6 @@ limitations under the License. {{- if empty .Values.conf.nova.service_user.auth_url -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.service_user.region_name -}} -{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.project_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.username -}} -{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.service_user.password -}} -{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}} -{{- end -}} {{- end -}} @@ -124,25 +87,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.neutron "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.neutron.region_name -}} -{{- $_ := set .Values.conf.nova.neutron "region_name" .Values.endpoints.identity.auth.neutron.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.project_name -}} -{{- $_ := set .Values.conf.nova.neutron "project_name" .Values.endpoints.identity.auth.neutron.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.project_domain_name -}} -{{- $_ := set .Values.conf.nova.neutron "project_domain_name" .Values.endpoints.identity.auth.neutron.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.user_domain_name -}} -{{- $_ := set .Values.conf.nova.neutron "user_domain_name" .Values.endpoints.identity.auth.neutron.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.username -}} -{{- $_ := set .Values.conf.nova.neutron "username" .Values.endpoints.identity.auth.neutron.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.neutron.password -}} -{{- $_ := set .Values.conf.nova.neutron "password" .Values.endpoints.identity.auth.neutron.password -}} -{{- end -}} - {{- if empty .Values.conf.nova.cache.memcache_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.cache "memcache_servers" -}} {{- end -}} @@ -159,25 +103,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.placement "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.placement.region_name -}} -{{- $_ := set .Values.conf.nova.placement "region_name" .Values.endpoints.identity.auth.placement.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.project_name -}} -{{- $_ := set .Values.conf.nova.placement "project_name" .Values.endpoints.identity.auth.placement.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.project_domain_name -}} -{{- $_ := set .Values.conf.nova.placement "project_domain_name" .Values.endpoints.identity.auth.placement.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.user_domain_name -}} -{{- $_ := set .Values.conf.nova.placement "user_domain_name" .Values.endpoints.identity.auth.placement.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.username -}} -{{- $_ := set .Values.conf.nova.placement "username" .Values.endpoints.identity.auth.placement.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.placement.password -}} -{{- $_ := set .Values.conf.nova.placement "password" .Values.endpoints.identity.auth.placement.password -}} -{{- end -}} - {{- if eq .Values.console.console_kind "novnc"}} {{- $_ := "true" | set .Values.conf.nova.vnc "enabled" -}} {{- if empty .Values.conf.nova.vnc.novncproxy_base_url -}} @@ -231,24 +156,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.ironic "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.ironic.region_name -}} -{{- $_ := set .Values.conf.nova.ironic "region_name" .Values.endpoints.identity.auth.ironic.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.project_name -}} -{{- $_ := set .Values.conf.nova.ironic "project_name" .Values.endpoints.identity.auth.ironic.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.project_domain_name -}} -{{- $_ := set .Values.conf.nova.ironic "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.user_domain_name -}} -{{- $_ := set .Values.conf.nova.ironic "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.username -}} -{{- $_ := set .Values.conf.nova.ironic "username" .Values.endpoints.identity.auth.ironic.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.ironic.password -}} -{{- $_ := set .Values.conf.nova.ironic "password" .Values.endpoints.identity.auth.ironic.password -}} -{{- end -}} {{- if empty .Values.conf.nova.ironic.auth_type -}} {{- $_ := set .Values.conf.nova.ironic "auth_type" .Values.endpoints.identity.auth.ironic.auth_type -}} {{- end -}} @@ -271,25 +178,6 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.cinder "auth_url" -}} {{- end -}} -{{- if empty .Values.conf.nova.cinder.os_region_name -}} -{{- $_ := set .Values.conf.nova.cinder "os_region_name" .Values.endpoints.identity.auth.cinder.region_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.project_name -}} -{{- $_ := set .Values.conf.nova.cinder "project_name" .Values.endpoints.identity.auth.cinder.project_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.project_domain_name -}} -{{- $_ := set .Values.conf.nova.cinder "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.user_domain_name -}} -{{- $_ := set .Values.conf.nova.cinder "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.username -}} -{{- $_ := set .Values.conf.nova.cinder "username" .Values.endpoints.identity.auth.cinder.username -}} -{{- end -}} -{{- if empty .Values.conf.nova.cinder.password -}} -{{- $_ := set .Values.conf.nova.cinder "password" .Values.endpoints.identity.auth.cinder.password -}} -{{- end -}} - {{- end -}} {{- end -}} diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml index cfaba7af14..9051fabf2c 100644 --- a/nova/templates/cron-job-archive-deleted-rows.yaml +++ b/nova/templates/cron-job-archive-deleted-rows.yaml @@ -73,6 +73,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: archive-deleted-rows-conf mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -93,6 +96,11 @@ spec: - name: archive-deleted-rows-conf secret: secretName: nova-etc + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml index 89adca003f..99d0339a64 100644 --- a/nova/templates/cron-job-service-cleaner.yaml +++ b/nova/templates/cron-job-service-cleaner.yaml @@ -74,6 +74,9 @@ spec: readOnly: true - name: etcnova mountPath: /etc/nova + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} volumes: - name: pod-tmp @@ -88,5 +91,10 @@ spec: configMap: name: nova-bin defaultMode: 0555 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 83af8f3c51..464c16ec15 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -340,6 +340,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova-compute.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -512,6 +515,11 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- if .Values.network.ssh.enabled }} - name: nova-ssh secret: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 8d7a3a7678..52a3ff6b73 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -91,6 +91,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: pod-shared mountPath: /tmp/pod-shared containers: @@ -143,6 +146,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -215,6 +221,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-shared emptyDir: {} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 10f50d7227..7c273172d4 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -111,6 +111,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: nova-etc mountPath: /etc/nova/nova-api-uwsgi.ini subPath: nova-api-uwsgi.ini @@ -166,6 +169,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 662028de2f..9a4570974b 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -115,6 +115,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -140,6 +143,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 5cd435d313..f07d23b2d8 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -92,6 +92,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.d + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -138,6 +141,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.d + readOnly: true - name: nova-etc mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -168,6 +174,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-novnc emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index f760c01a55..2e6c7e6fb3 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -115,6 +115,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -140,6 +143,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-serialproxy.yaml b/nova/templates/deployment-serialproxy.yaml index c969b5b664..22adb9076b 100644 --- a/nova/templates/deployment-serialproxy.yaml +++ b/nova/templates/deployment-serialproxy.yaml @@ -90,6 +90,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -121,6 +124,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true - name: nova-etc mountPath: /etc/nova/logging.conf subPath: logging.conf @@ -146,6 +152,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-serial emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 5c99dfb7e6..975148443f 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -133,6 +133,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -157,6 +160,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: pod-usr-share-spice-html5 emptyDir: {} - name: pod-shared diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index f6e51a4ff8..a2abeacab7 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -103,6 +103,9 @@ spec: mountPath: /etc/nova/nova.conf subPath: nova.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -124,6 +127,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/job-nova-storage-init.yaml b/nova/templates/job-nova-storage-init.yaml index 9748a5f45d..85810f4e5a 100644 --- a/nova/templates/job-nova-storage-init.yaml +++ b/nova/templates/job-nova-storage-init.yaml @@ -164,4 +164,4 @@ spec: secretName: {{ .Values.ceph_client.user_secret_name }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/nova/templates/secret-ks-etc.yaml b/nova/templates/secret-ks-etc.yaml new file mode 100644 index 0000000000..b3419e3f51 --- /dev/null +++ b/nova/templates/secret-ks-etc.yaml @@ -0,0 +1,34 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ks_etc }} +{{- $envAll := . -}} +{{/* the endpoints.identity.auth sections with the oslo conf sections they get rendered to */}} +{{- $ksUsers := dict + "nova" "keystone_authtoken" + "neutron" "neutron" + "placement" "placement" + "ironic" "ironic" + "cinder" "cinder" +-}} +{{- if .Values.conf.nova.service_user.send_service_user_token }} +{{- $_ := set $ksUsers "service" "service_user" -}} +{{- end }} +{{ dict + "envAll" $envAll + "serviceName" "nova" + "serviceUserSections" $ksUsers + | include "helm-toolkit.manifests.secret_ks_etc" +}} +{{- end }} diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml index 4936429a81..4c22627f96 100644 --- a/nova/templates/statefulset-compute-ironic.yaml +++ b/nova/templates/statefulset-compute-ironic.yaml @@ -74,6 +74,9 @@ spec: mountPath: /etc/nova/nova-compute.conf subPath: nova-compute.conf readOnly: true + - name: nova-etc-snippets + mountPath: /etc/nova/nova.conf.d/ + readOnly: true {{- if .Values.conf.nova.DEFAULT.log_config_append }} - name: nova-etc mountPath: {{ .Values.conf.nova.DEFAULT.log_config_append }} @@ -106,6 +109,11 @@ spec: secret: secretName: nova-etc defaultMode: 0444 + - name: nova-etc-snippets + projected: + sources: + - secret: + name: nova-ks-etc - name: varlibironic hostPath: path: /var/lib/ironic diff --git a/nova/values.yaml b/nova/values.yaml index cabaf72ac3..892bae384a 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2697,6 +2697,7 @@ manifests: secret_db: true secret_ingress_tls: true secret_keystone: true + secret_ks_etc: true secret_rabbitmq: true secret_registry: true service_ingress_metadata: true diff --git a/releasenotes/notes/nova-476f40003a31bc77.yaml b/releasenotes/notes/nova-476f40003a31bc77.yaml new file mode 100644 index 0000000000..3c9b690a97 --- /dev/null +++ b/releasenotes/notes/nova-476f40003a31bc77.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Split out the OpenStack service account definitions from nova.conf and into + config snippets which are loaded at /etc/nova/nova.d/, which is automatically + loaded by OSLO when loading the main nova.conf. This makes it easier for users + to use the regular config generation while supplying credentials out of band. +...