Merge "[htk] job_ks_user to create multiple users"

heat/templates/job-ks-user-trustee.yaml

@@ -1,31 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "metadata.annotations.job.heat_trust" }}
-helm.sh/hook: post-install,post-upgrade
-{{- end }}
-
-{{- if .Values.manifests.job_ks_user_trustee }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
-{{- if or .Values.manifests.certificates .Values.tls.identity -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
-{{- end -}}
-{{- if .Values.helm3_hook }}
-{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
-{{- end }}
-{{- if .Values.pod.tolerations.heat.enabled -}}
-{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
-{{- end -}}
-{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
-{{- end }}

heat/templates/job-ks-user.yaml

@@ -18,7 +18,7 @@ helm.sh/hook-weight: "-1"
 {{- end }}
 
 {{- if .Values.manifests.job_ks_user }}
-{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
+{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" (tuple "heat" "heat_trustee") -}}
 {{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
 {{- end -}}

heat/values.yaml

@@ -584,7 +584,6 @@ dependencies:
         - heat-db-sync
         - heat-rabbit-init
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
         - heat-bootstrap
@@ -600,7 +599,6 @@ dependencies:
         - heat-db-sync
         - heat-rabbit-init
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
         - heat-bootstrap
@@ -616,7 +614,6 @@ dependencies:
         - heat-db-sync
         - heat-rabbit-init
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
         - heat-bootstrap
@@ -650,7 +647,6 @@ dependencies:
         - heat-db-sync
         - heat-rabbit-init
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
         - heat-bootstrap
@@ -665,7 +661,6 @@ dependencies:
       jobs:
         - heat-db-sync
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
       services:
@@ -679,7 +674,6 @@ dependencies:
       jobs:
         - heat-db-sync
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
         - heat-ks-endpoints
       services:
@@ -710,7 +704,6 @@ dependencies:
     trusts:
       jobs:
         - heat-ks-user
-        - heat-trustee-ks-user
         - heat-domain-ks-user
       services:
         - endpoint: internal

helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl

@@ -18,41 +18,27 @@ limitations under the License.
 # { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
 
 {{/*
-  # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
-  # example:
-  #  values: |
-  #    pod:
-  #      security_context:
-  #        ks_user:
-  #          pod:
-  #            runAsUser: 65534
-  # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
-  # example:
-  #   values: |
-  #     pod:
-  #       security_context:
-  #         ks_user:
-  #           container:
-  #             ks-user:
-  #               runAsUser: 65534
-  #               readOnlyRootFilesystem: true
-  #               allowPrivilegeEscalation: false
+# This function creates a manifest for keystone user management.
+# It can be used in charts as follows:
+# {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUsers" ( tuple "heat" "heat_trustee" ) -}}
+# {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 */}}
 
 {{- define "helm-toolkit.manifests.job_ks_user" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $serviceName := index . "serviceName" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
 {{- $jobAnnotations := index . "jobAnnotations" -}}
 {{- $jobLabels := index . "jobLabels" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
-{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $singleServiceUser := index . "serviceUser" | default $serviceName -}}
+{{- $serviceUsers := index . "serviceUsers" | default (tuple $singleServiceUser) -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
-{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
 {{- $restartPolicy_ := "OnFailure" -}}
 {{- if hasKey $envAll.Values "jobs" -}}
 {{- if hasKey $envAll.Values.jobs "ks_user" -}}
@@ -61,13 +47,13 @@ limitations under the License.
 {{- end }}
 {{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
 
-{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{- $serviceAccountName := printf "%s-ks-user" $serviceNamePretty }}
 {{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+  name: {{ printf "%s-ks-user" $serviceNamePretty | quote }}
   labels:
 {{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 {{- if $jobLabels }}
@@ -105,7 +91,8 @@ spec:
       initContainers:
 {{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
-        - name: ks-user
+{{- range $serviceUser := $serviceUsers }}
+        - name: {{ printf "%s-ks-user" $serviceUser | replace "_" "-" | quote }}
           image: {{ $envAll.Values.images.tags.ks_user }}
           imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -138,6 +125,7 @@ spec:
             {{- else }}
               value: {{ $serviceOsRoles | quote }}
             {{- end }}
+{{- end }}
       volumes:
         - name: pod-tmp
           emptyDir: {}

releasenotes/notes/heat-5e861ec1ee8e2784.yaml

@@ -0,0 +1,7 @@
+---
+heat:
+  - |
+    Create heat and heat_trustee service users in a single job.
+    This is to align with the helm-toolkit change regarding
+    Keystone user creation job.
+...

releasenotes/notes/helm-toolkit-a2810391532bd64a.yaml

@@ -0,0 +1,5 @@
+---
+helm-toolkit:
+  - |
+    Modify job_ks_user template to be able to create multiple Keystone users
+...