From c221fa524889ce58f9666459c52f9b858c97fc4e Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Sun, 2 Jul 2017 19:43:43 -0500 Subject: [PATCH] Secret and endpoint standardisation. This PS moves keystone credentials to the endpoints section within the values.yaml, and also adds a 'secrets' key, allowing standardiation of secrets and credential management across OpenStack-Helm. Change-Id: I86a21e625afd822379ac11351603b2c606a3769f --- barbican/templates/configmap-etc.yaml | 19 +++++ barbican/templates/job-db-init.yaml | 2 +- barbican/templates/job-ks-endpoints.yaml | 3 +- barbican/templates/job-ks-service.yaml | 3 +- barbican/templates/job-ks-user.yaml | 8 +- .../templates/secret-db.yaml | 19 ++--- .../templates/secret-keystone-admin.env.yaml | 32 -------- .../templates/secret-keystone-user.env.yaml | 32 -------- ...-db-root.env.yaml => secret-keystone.yaml} | 12 ++- barbican/values.yaml | 47 +++++------ cinder/templates/configmap-etc.yaml | 19 +++++ cinder/templates/job-bootstrap.yaml | 3 +- cinder/templates/job-db-init.yaml | 2 +- cinder/templates/job-ks-endpoints.yaml | 3 +- cinder/templates/job-ks-service.yaml | 3 +- cinder/templates/job-ks-user.yaml | 8 +- cinder/templates/pod-rally-test.yaml | 3 +- cinder/templates/secret-db-root.env.yaml | 7 -- cinder/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- cinder/templates/secret-keystone.yaml | 25 ++++++ cinder/values.yaml | 40 ++++++---- glance/templates/configmap-etc.yaml | 39 +++++++++ glance/templates/job-bootstrap.yaml | 4 +- glance/templates/job-db-init.yaml | 2 +- glance/templates/job-ks-endpoints.yaml | 3 +- glance/templates/job-ks-service.yaml | 5 +- glance/templates/job-ks-user.yaml | 10 +-- glance/templates/pod-rally-test.yaml | 3 +- glance/templates/secret-db-root.env.yaml | 7 -- glance/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- glance/templates/secret-keystone.yaml | 25 ++++++ glance/values.yaml | 47 +++++------ heat/templates/configmap-etc.yaml | 48 +++++++++++ heat/templates/job-db-init.yaml | 2 +- heat/templates/job-ks-endpoints.yaml | 3 +- heat/templates/job-ks-service.yaml | 3 +- heat/templates/job-ks-user.yaml | 30 +++---- heat/templates/secret-db-root.env.yaml | 7 -- heat/templates/secret-db.yaml | 25 ++++++ heat/templates/secret-keystone-admin.env.yaml | 34 -------- .../secret-keystone-trustee.env.yaml | 34 -------- heat/templates/secret-keystone-user.env.yaml | 34 -------- heat/templates/secret-keystone.yaml | 37 +++++++++ heat/values.yaml | 79 ++++++++++--------- .../snippets/_keystone_secret_openrc.tpl | 27 +++++++ keystone/templates/bin/_db-sync.sh.tpl | 14 ++-- keystone/templates/job-bootstrap.yaml | 3 +- keystone/templates/job-db-init.yaml | 2 +- keystone/templates/job-db-sync.yaml | 10 +++ keystone/templates/pod-rally-test.yaml | 3 +- keystone/templates/secret-db-root.env.yaml | 7 -- keystone/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone.yaml | 10 ++- keystone/values.yaml | 25 ++++-- magnum/templates/configmap-etc.yaml | 19 +++++ magnum/templates/job-db-init.yaml | 2 +- magnum/templates/job-ks-endpoints.yaml | 3 +- magnum/templates/job-ks-service.yaml | 3 +- magnum/templates/job-ks-user.yaml | 8 +- magnum/templates/secret-db-root.env.yaml | 7 -- magnum/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- magnum/templates/secret-keystone.yaml | 25 ++++++ magnum/values.yaml | 40 ++++++---- mistral/templates/configmap-etc.yaml | 19 +++++ mistral/templates/job-db-init.yaml | 2 +- mistral/templates/job-ks-endpoints.yaml | 3 +- mistral/templates/job-ks-service.yaml | 3 +- mistral/templates/job-ks-user.yaml | 8 +- mistral/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 35 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- mistral/templates/secret-keystone.yaml | 25 ++++++ mistral/values.yaml | 46 ++++++----- neutron/templates/configmap-etc.yaml | 19 +++++ neutron/templates/job-db-init.yaml | 2 +- neutron/templates/job-ks-endpoints.yaml | 3 +- neutron/templates/job-ks-service.yaml | 3 +- neutron/templates/job-ks-user.yaml | 8 +- neutron/templates/pod-rally-test.yaml | 3 +- neutron/templates/secret-db-root.env.yaml | 7 -- neutron/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- neutron/templates/secret-keystone.yaml | 25 ++++++ neutron/values.yaml | 47 +++++------ nova/templates/configmap-etc.yaml | 19 +++++ nova/templates/job-bootstrap.yaml | 3 +- nova/templates/job-db-init.yaml | 4 +- nova/templates/job-ks-endpoints.yaml | 3 +- nova/templates/job-ks-service.yaml | 3 +- nova/templates/job-ks-user.yaml | 8 +- nova/templates/pod-rally-test.yaml | 3 +- nova/templates/secret-db-api.yaml | 25 ++++++ nova/templates/secret-db-root.env.yaml | 7 -- nova/templates/secret-db.yaml | 25 ++++++ nova/templates/secret-keystone-admin.env.yaml | 34 -------- nova/templates/secret-keystone-user.env.yaml | 34 -------- nova/templates/secret-keystone.yaml | 25 ++++++ nova/values.yaml | 42 ++++++---- senlin/templates/configmap-etc.yaml | 19 +++++ senlin/templates/job-db-init.yaml | 2 +- senlin/templates/job-ks-endpoints.yaml | 3 +- senlin/templates/job-ks-service.yaml | 3 +- senlin/templates/job-ks-user.yaml | 8 +- senlin/templates/secret-db-root.env.yaml | 7 -- senlin/templates/secret-db.yaml | 25 ++++++ .../templates/secret-keystone-admin.env.yaml | 34 -------- .../templates/secret-keystone-user.env.yaml | 34 -------- senlin/templates/secret-keystone.yaml | 25 ++++++ senlin/values.yaml | 47 +++++------ 117 files changed, 1085 insertions(+), 1084 deletions(-) rename heat/templates/secret-keystone-stack-user.env.yaml => barbican/templates/secret-db.yaml (51%) delete mode 100644 barbican/templates/secret-keystone-admin.env.yaml delete mode 100644 barbican/templates/secret-keystone-user.env.yaml rename barbican/templates/{secret-db-root.env.yaml => secret-keystone.yaml} (63%) delete mode 100644 cinder/templates/secret-db-root.env.yaml create mode 100644 cinder/templates/secret-db.yaml delete mode 100644 cinder/templates/secret-keystone-admin.env.yaml delete mode 100644 cinder/templates/secret-keystone-user.env.yaml create mode 100644 cinder/templates/secret-keystone.yaml delete mode 100644 glance/templates/secret-db-root.env.yaml create mode 100644 glance/templates/secret-db.yaml delete mode 100644 glance/templates/secret-keystone-admin.env.yaml delete mode 100644 glance/templates/secret-keystone-user.env.yaml create mode 100644 glance/templates/secret-keystone.yaml delete mode 100644 heat/templates/secret-db-root.env.yaml create mode 100644 heat/templates/secret-db.yaml delete mode 100644 heat/templates/secret-keystone-admin.env.yaml delete mode 100644 heat/templates/secret-keystone-trustee.env.yaml delete mode 100644 heat/templates/secret-keystone-user.env.yaml create mode 100644 heat/templates/secret-keystone.yaml create mode 100644 helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl delete mode 100644 keystone/templates/secret-db-root.env.yaml create mode 100644 keystone/templates/secret-db.yaml delete mode 100644 keystone/templates/secret-keystone-admin.env.yaml rename mistral/templates/secret-db-root.env.yaml => keystone/templates/secret-keystone.yaml (68%) delete mode 100644 magnum/templates/secret-db-root.env.yaml create mode 100644 magnum/templates/secret-db.yaml delete mode 100644 magnum/templates/secret-keystone-admin.env.yaml delete mode 100644 magnum/templates/secret-keystone-user.env.yaml create mode 100644 magnum/templates/secret-keystone.yaml create mode 100644 mistral/templates/secret-db.yaml delete mode 100644 mistral/templates/secret-keystone-admin.env.yaml delete mode 100644 mistral/templates/secret-keystone-user.env.yaml create mode 100644 mistral/templates/secret-keystone.yaml delete mode 100644 neutron/templates/secret-db-root.env.yaml create mode 100644 neutron/templates/secret-db.yaml delete mode 100644 neutron/templates/secret-keystone-admin.env.yaml delete mode 100644 neutron/templates/secret-keystone-user.env.yaml create mode 100644 neutron/templates/secret-keystone.yaml create mode 100644 nova/templates/secret-db-api.yaml delete mode 100644 nova/templates/secret-db-root.env.yaml create mode 100644 nova/templates/secret-db.yaml delete mode 100644 nova/templates/secret-keystone-admin.env.yaml delete mode 100644 nova/templates/secret-keystone-user.env.yaml create mode 100644 nova/templates/secret-keystone.yaml delete mode 100644 senlin/templates/secret-db-root.env.yaml create mode 100644 senlin/templates/secret-db.yaml delete mode 100644 senlin/templates/secret-keystone-admin.env.yaml delete mode 100644 senlin/templates/secret-keystone-user.env.yaml create mode 100644 senlin/templates/secret-keystone.yaml diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index 1468de7cee..27654c7c19 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -20,6 +20,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml index dd0f2667d4..fd8d901a78 100644 --- a/barbican/templates/job-db-init.yaml +++ b/barbican/templates/job-db-init.yaml @@ -41,7 +41,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: barbican-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/barbican/barbican.conf diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml index cb9cb2376a..86789f3ee7 100644 --- a/barbican/templates/job-ks-endpoints.yaml +++ b/barbican/templates/job-ks-endpoints.yaml @@ -11,7 +11,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -48,7 +47,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml index f63c4565ca..2f6b2cad45 100644 --- a/barbican/templates/job-ks-service.yaml +++ b/barbican/templates/job-ks-service.yaml @@ -11,7 +11,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -47,7 +46,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml index af526735b8..72956095d3 100644 --- a/barbican/templates/job-ks-user.yaml +++ b/barbican/templates/job-ks-user.yaml @@ -10,8 +10,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "barbican-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -47,16 +45,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "barbican" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.barbican_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/heat/templates/secret-keystone-stack-user.env.yaml b/barbican/templates/secret-db.yaml similarity index 51% rename from heat/templates/secret-keystone-stack-user.env.yaml rename to barbican/templates/secret-db.yaml index 18bdf9a7ee..f8c9dffe58 100644 --- a/heat/templates/secret-keystone-stack-user.env.yaml +++ b/barbican/templates/secret-db.yaml @@ -11,20 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: {{ .Values.keystone_secrets.stack }} + name: {{ $secretName }} type: Opaque data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.heat_stack_region_name | b64enc | indent 4 }} - OS_DOMAIN_NAME: | -{{ .Values.conf.heat.default.heat.common.config.stack_user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin_password | b64enc | indent 4 }} + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/barbican/templates/secret-keystone-admin.env.yaml b/barbican/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 99e086ca62..0000000000 --- a/barbican/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: barbican-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/barbican/templates/secret-keystone-user.env.yaml b/barbican/templates/secret-keystone-user.env.yaml deleted file mode 100644 index a642f8eed3..0000000000 --- a/barbican/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: barbican-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/barbican/templates/secret-db-root.env.yaml b/barbican/templates/secret-keystone.yaml similarity index 63% rename from barbican/templates/secret-db-root.env.yaml rename to barbican/templates/secret-keystone.yaml index a3ff08516c..2507c3b3b8 100644 --- a/barbican/templates/secret-db-root.env.yaml +++ b/barbican/templates/secret-keystone.yaml @@ -1,3 +1,5 @@ +# Copyright 2017 The Openstack-Helm Authors. +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -9,11 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: barbican-db-root + name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/barbican/values.yaml b/barbican/values.yaml index 2f707379f9..02aa941339 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -45,22 +45,6 @@ network: enabled: false port: 39486 -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - barbican_user: "barbican" - barbican_user_domain: "default" - barbican_user_role: "admin" - barbican_password: "password" - barbican_project_name: "service" - barbican_project_domain: "default" - barbican_region_name: "RegionOne" - dependencies: db_init: services: @@ -115,12 +99,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: barbican - password: password database: oslo: db: @@ -130,9 +108,34 @@ conf: config: bind_port: 9311 +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: barbican-keystone-admin + user: barbican-keystone-user + oslo_db: + admin: barbican-db-admin + user: barbican-db-user + endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: barbican + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 6446a281f4..b4217edb26 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index 13cc3a856b..584616d95e 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -14,7 +14,6 @@ {{- if .Values.bootstrap.enabled }} {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} apiVersion: batch/v1 kind: Job @@ -44,7 +43,7 @@ spec: command: - /tmp/bootstrap.sh env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} volumeMounts: diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index 15f5b85108..37a00751e0 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: cinder-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/cinder/cinder.conf diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml index 0cdfd2bc89..b10d4ee835 100644 --- a/cinder/templates/job-ks-endpoints.yaml +++ b/cinder/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml index 56ecfc1e26..2e4e0c2f3b 100644 --- a/cinder/templates/job-ks-service.yaml +++ b/cinder/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 521e9ea852..ea884376ba 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "cinder-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "cinder" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.cinder_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index 22b5648687..80caaaf399 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_cinder_tests := .Values.mounts.cinder_tests.cinder_tests }} {{- $mounts_cinder_tests_init := .Values.mounts.cinder_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/cinder/templates/secret-db-root.env.yaml b/cinder/templates/secret-db-root.env.yaml deleted file mode 100644 index 1af541d40c..0000000000 --- a/cinder/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cinder-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/cinder/templates/secret-db.yaml b/cinder/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/cinder/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/cinder/templates/secret-keystone-admin.env.yaml b/cinder/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f804604ff5..0000000000 --- a/cinder/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: cinder-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/cinder/templates/secret-keystone-user.env.yaml b/cinder/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 15457b23d2..0000000000 --- a/cinder/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: cinder-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/cinder/templates/secret-keystone.yaml b/cinder/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/cinder/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index b42e4aeb0d..d8b25798b1 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -67,15 +67,6 @@ bootstrap: group: volume_backend_name: -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - cinder_user_role: "admin" - network: api: ingress: @@ -129,12 +120,6 @@ conf: auth_token: auth_version: v3 auth_type: password - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: cinder - password: password oslo_concurrency: oslo: concurrency: @@ -235,12 +220,37 @@ dependencies: - service: volume endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: cinder-keystone-admin + user: cinder-keystone-user + oslo_db: + admin: cinder-db-admin + user: cinder-db-user + # We use a different layout of the endpoints here to account for versioning # this swaps the service name and type, and should be rolled out to other # services. endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: cinder + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index c751b64f66..f4e1a2764f 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -29,6 +29,44 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} @@ -66,6 +104,7 @@ {{- tuple "image" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.default.glance.api "public_endpoint" | quote | trunc 0 -}} {{- end -}} + apiVersion: v1 kind: ConfigMap metadata: diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml index fd36e23def..eb52825dc7 100644 --- a/glance/templates/job-bootstrap.yaml +++ b/glance/templates/job-bootstrap.yaml @@ -13,8 +13,8 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -41,7 +41,7 @@ spec: memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml index 76c9ba820b..11518c854d 100644 --- a/glance/templates/job-db-init.yaml +++ b/glance/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: glance-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/glance/glance-api.conf diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml index f163f4394d..401a3d0f47 100644 --- a/glance/templates/job-ks-endpoints.yaml +++ b/glance/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml index aa6587cd1c..0b22ad26e7 100644 --- a/glance/templates/job-ks-service.yaml +++ b/glance/templates/job-ks-service.yaml @@ -11,10 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml index 9ffd431709..f9aa6224f5 100644 --- a/glance/templates/job-ks-user.yaml +++ b/glance/templates/job-ks-user.yaml @@ -11,11 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "glance-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "glance" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.glance_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml index f4d8d983f0..3e48c5c230 100644 --- a/glance/templates/pod-rally-test.yaml +++ b/glance/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_glance_tests := .Values.mounts.glance_tests.glance_tests }} {{- $mounts_glance_tests_init := .Values.mounts.glance_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/glance/templates/secret-db-root.env.yaml b/glance/templates/secret-db-root.env.yaml deleted file mode 100644 index f01d1d90f5..0000000000 --- a/glance/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: glance-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/glance/templates/secret-db.yaml b/glance/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/glance/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/glance/templates/secret-keystone-admin.env.yaml b/glance/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 0e57ce09db..0000000000 --- a/glance/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: glance-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/glance/templates/secret-keystone-user.env.yaml b/glance/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 30052ab7a0..0000000000 --- a/glance/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: glance-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/glance/templates/secret-keystone.yaml b/glance/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/glance/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/glance/values.yaml b/glance/values.yaml index e5ed078bee..c5ba55dc68 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -76,16 +76,6 @@ bootstrap: hypervisor_type: "qemu" os_distro: "cirros" -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - glance_user_role: "admin" - - conf: rally_tests: override: @@ -120,12 +110,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: glance - password: password glance_store: glance: store: @@ -151,12 +135,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: glance - password: password network: api: @@ -296,12 +274,37 @@ dependencies: - service: image endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: glance-keystone-admin + user: glance-keystone-user + oslo_db: + admin: glance-db-admin + user: glance-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: glance + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 5097230d42..27dd71cd8e 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -23,6 +23,54 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.heat.trustee.heat.common.context.region_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "region_name" .Values.endpoints.identity.auth.trustee.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.project_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "project_name" .Values.endpoints.identity.auth.trustee.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.project_domain_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "project_domain_name" .Values.endpoints.identity.auth.trustee.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.user_domain_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "user_domain_name" .Values.endpoints.identity.auth.trustee.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.username -}} +{{- set .Values.conf.heat.trustee.heat.common.context "username" .Values.endpoints.identity.auth.trustee.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.password -}} +{{- set .Values.conf.heat.trustee.heat.common.context "password" .Values.endpoints.identity.auth.trustee.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.heat.default.heat.common.config.stack_user_domain_name -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_user_domain_name" .Values.endpoints.identity.auth.stack_user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin" .Values.endpoints.identity.auth.stack_user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin_password -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin_password" .Values.endpoints.identity.auth.stack_user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml index 1693fbcc86..76162596b3 100644 --- a/heat/templates/job-db-init.yaml +++ b/heat/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: heat-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/heat/heat.conf diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml index 9010a55daf..32892f4993 100644 --- a/heat/templates/job-ks-endpoints.yaml +++ b/heat/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml index 22de825ca8..b3e59fe8e2 100644 --- a/heat/templates/job-ks-service.yaml +++ b/heat/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml index f954fa2a9c..99f02a9c97 100644 --- a/heat/templates/job-ks-user.yaml +++ b/heat/templates/job-ks-user.yaml @@ -14,11 +14,7 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} -{{- $ksUserSecret := .Values.keystone_secrets.user }} # The heat user management job is a bit different from other services as it also needs to create a stack domain and trusts user -{{- $ksTrusteeUserSecret := .Values.keystone_secrets.trustee }} -{{- $ksStackUserSecret := .Values.keystone_secrets.stack }} apiVersion: batch/v1 kind: Job metadata: @@ -52,21 +48,20 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "heat" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} - name: heat-ks-trustee-user image: {{ .Values.images.ks_user }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - - bash - /tmp/ks-user.sh volumeMounts: - name: ks-user-sh @@ -74,21 +69,20 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "heat" -{{- with $env := dict "ksUserSecret" $ksTrusteeUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.trustee }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_trustee_role | quote }} + value: {{ .Values.endpoints.identity.auth.trustee.role | quote }} - name: heat-ks-domain-user image: {{ .Values.images.ks_user }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - - bash - /tmp/ks-domain-user.sh volumeMounts: - name: ks-user-sh @@ -96,7 +90,7 @@ spec: subPath: ks-domain-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -104,25 +98,25 @@ spec: - name: SERVICE_OS_REGION_NAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_REGION_NAME - name: SERVICE_OS_DOMAIN_NAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_DOMAIN_NAME - name: SERVICE_OS_USERNAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_USERNAME - name: SERVICE_OS_PASSWORD valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_PASSWORD - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_stack_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.stack_user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/heat/templates/secret-db-root.env.yaml b/heat/templates/secret-db-root.env.yaml deleted file mode 100644 index a4fbce8621..0000000000 --- a/heat/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: heat-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/heat/templates/secret-db.yaml b/heat/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/heat/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/heat/templates/secret-keystone-admin.env.yaml b/heat/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f795623847..0000000000 --- a/heat/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone-trustee.env.yaml b/heat/templates/secret-keystone-trustee.env.yaml deleted file mode 100644 index 3d92a70132..0000000000 --- a/heat/templates/secret-keystone-trustee.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.trustee }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.heat_trustee_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.trustee.heat.common.context.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.trustee.heat.common.context.password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone-user.env.yaml b/heat/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 77ac3a3ca7..0000000000 --- a/heat/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone.yaml b/heat/templates/secret-keystone.yaml new file mode 100644 index 0000000000..8be0183661 --- /dev/null +++ b/heat/templates/secret-keystone.yaml @@ -0,0 +1,37 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" "trustee" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $envAll.Values.secrets.identity.stack_user }} +type: Opaque +data: + OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} + OS_REGION_NAME: {{ .Values.endpoints.identity.auth.stack_user.region_name | b64enc | indent 4 }} + OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.stack_user.domain_name | b64enc | indent 4 }} + OS_USERNAME: {{ .Values.endpoints.identity.auth.stack_user.username | b64enc | indent 4 }} + OS_PASSWORD: {{ .Values.endpoints.identity.auth.stack_user.password | b64enc | indent 4 }} diff --git a/heat/values.yaml b/heat/values.yaml index 2a0e8eb122..a031425b41 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -64,29 +64,6 @@ termination_grace_period: cloudwatch: timeout: 30 -keystone_secrets: - admin: "heat-env-keystone-admin" - user: "heat-env-keystone-user" - trustee: "heat-env-keystone-trustee" - stack: "heat-env-keystone-stack-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - heat_user_role: "admin" - - heat_trustee_role: "admin" - heat_trustee_region_name: "RegionOne" - - heat_stack_user_role: "admin" - heat_stack_region_name: "RegionOne" - - conf: paste: override: @@ -101,9 +78,6 @@ conf: heat: common: config: - stack_user_domain_name: heat - stack_domain_admin: heat-domain - stack_domain_admin_password: password num_engine_workers: 4 trusts_delegated_roles: _member_ keystone_authtoken: @@ -111,24 +85,12 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: heat - password: password trustee: heat: common: context: auth_section: trustee auth_type: password - password: password - user_domain_name: default - username: heat-trust - project_domain_name: default - project_name: service - region_name: RegionOne auth_version: v3 heat_api: heat: @@ -249,12 +211,53 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: heat-keystone-admin + user: heat-keystone-user + trustee: heat-keystone-trustee + stack_user: heat-keystone-stack-user + oslo_db: + admin: heat-db-admin + user: heat-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: heat + password: password + project_name: service + user_domain_name: default + project_domain_name: default + trustee: + role: admin + region_name: RegionOne + username: heat-trust + password: password + project_name: service + user_domain_name: default + project_domain_name: default + stack_user: + role: admin + region_name: RegionOne + username: heat-trust + password: password + domain_name: heat hosts: default: keystone-api public: keystone diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl new file mode 100644 index 0000000000..3229f6a30d --- /dev/null +++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -0,0 +1,27 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- define "helm-toolkit.snippets.keystone_secret_openrc" }} +{{- $userClass := index . 0 -}} +{{- $identityEndpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }} +OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }} +OS_REGION_NAME: {{ $userContext.region_name | b64enc }} +OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }} +OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }} +OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} +OS_USERNAME: {{ $userContext.username | b64enc }} +OS_PASSWORD: {{ $userContext.password | b64enc }} +{{- end }} diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl index e0b6c7a185..b5ed607991 100644 --- a/keystone/templates/bin/_db-sync.sh.tpl +++ b/keystone/templates/bin/_db-sync.sh.tpl @@ -19,10 +19,10 @@ set -ex keystone-manage --config-file=/etc/keystone/keystone.conf db_sync keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \ - --bootstrap-username {{ .Values.keystone.admin_user }} \ - --bootstrap-password {{ .Values.keystone.admin_password }} \ - --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \ - --bootstrap-admin-url {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-public-url {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-internal-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-region-id {{ .Values.keystone.admin_region_name }} + --bootstrap-username ${OS_USERNAME} \ + --bootstrap-password ${OS_PASSWORD} \ + --bootstrap-project-name ${OS_PROJECT_NAME} \ + --bootstrap-admin-url ${OS_BOOTSTRAP_ADMIN_URL} \ + --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \ + --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \ + --bootstrap-region-id ${OS_REGION_NAME} diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index e399768982..09da695d85 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -14,7 +14,6 @@ {{- if .Values.bootstrap.enabled }} {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "keystone-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_keystone_bootstrap := .Values.mounts.keystone_bootstrap.keystone_bootstrap }} {{- $mounts_keystone_bootstrap_init := .Values.mounts.keystone_bootstrap.init_container }} @@ -45,7 +44,7 @@ spec: memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 50cd04a6e2..626954146b 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -47,7 +47,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: keystone-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/keystone/keystone.conf diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index 2341b150db..8300dc7f14 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -43,6 +43,16 @@ spec: cpu: {{ .Values.resources.jobs.db_sync.requests.cpu | quote }} memory: {{ .Values.resources.jobs.db_sync.requests.memory | quote }} {{- end }} + env: + - name: OS_BOOTSTRAP_ADMIN_URL + value: {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OS_BOOTSTRAP_PUBLIC_URL + value: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OS_BOOTSTRAP_INTERNAL_URL + value: {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} command: - /tmp/db-sync.sh volumeMounts: diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml index 1f526e2082..01340ef82a 100644 --- a/keystone/templates/pod-rally-test.yaml +++ b/keystone/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "keystone-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_keystone_tests := .Values.mounts.keystone_tests.keystone_tests }} {{- $mounts_keystone_tests_init := .Values.mounts.keystone_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/keystone/templates/secret-db-root.env.yaml b/keystone/templates/secret-db-root.env.yaml deleted file mode 100644 index 4623037da2..0000000000 --- a/keystone/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: keystone-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/keystone/templates/secret-db.yaml b/keystone/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/keystone/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/keystone/templates/secret-keystone-admin.env.yaml b/keystone/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 3652bb7a13..0000000000 --- a/keystone/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: keystone-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/mistral/templates/secret-db-root.env.yaml b/keystone/templates/secret-keystone.yaml similarity index 68% rename from mistral/templates/secret-db-root.env.yaml rename to keystone/templates/secret-keystone.yaml index d9a3e8734a..032eec642c 100644 --- a/mistral/templates/secret-db-root.env.yaml +++ b/keystone/templates/secret-keystone.yaml @@ -11,11 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: mistral-db-root + name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index e87ca30bbc..205a2bee98 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -48,14 +48,7 @@ termination_grace_period: timeout: 30 keystone: - version: v3 - scheme: http - admin_region_name: RegionOne - admin_user: admin - admin_password: password - admin_project_name: admin - admin_user_domain: default - admin_project_domain: default + bootstrap: enabled: true @@ -194,12 +187,28 @@ conf: enabled: true backend: dogpile.cache.memcached +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: keystone-keystone-admin + oslo_db: + admin: keystone-db-admin + user: keystone-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml index 51f7dac680..61bfa6c4a8 100644 --- a/magnum/templates/configmap-etc.yaml +++ b/magnum/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml index e696ea4ded..29603a7fd3 100644 --- a/magnum/templates/job-db-init.yaml +++ b/magnum/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: magnum-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/magnum/magnum.conf diff --git a/magnum/templates/job-ks-endpoints.yaml b/magnum/templates/job-ks-endpoints.yaml index 726f953bec..ed14f505e4 100644 --- a/magnum/templates/job-ks-endpoints.yaml +++ b/magnum/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/magnum/templates/job-ks-service.yaml b/magnum/templates/job-ks-service.yaml index 9428363473..153645bf6b 100644 --- a/magnum/templates/job-ks-service.yaml +++ b/magnum/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/magnum/templates/job-ks-user.yaml b/magnum/templates/job-ks-user.yaml index 2f24ca11bd..4c7fae4092 100644 --- a/magnum/templates/job-ks-user.yaml +++ b/magnum/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "magnum-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "magnum-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "magnum" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.magnum_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/magnum/templates/secret-db-root.env.yaml b/magnum/templates/secret-db-root.env.yaml deleted file mode 100644 index b7a2a35331..0000000000 --- a/magnum/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: magnum-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/magnum/templates/secret-db.yaml b/magnum/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/magnum/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/magnum/templates/secret-keystone-admin.env.yaml b/magnum/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f795623847..0000000000 --- a/magnum/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/magnum/templates/secret-keystone-user.env.yaml b/magnum/templates/secret-keystone-user.env.yaml deleted file mode 100644 index ef461171d4..0000000000 --- a/magnum/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/magnum/templates/secret-keystone.yaml b/magnum/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/magnum/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/magnum/values.yaml b/magnum/values.yaml index 27d54f89b5..1d7e69a6f0 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 conductor: 1 @@ -52,20 +51,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "magnum-env-keystone-admin" - user: "magnum-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - magnum_user_role: "admin" - conf: paste: override: @@ -146,12 +131,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: magnum-keystone-admin + user: magnum-keystone-user + oslo_db: + admin: magnum-db-admin + user: magnum-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: magnum + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml index 439555d90f..95ee7cbbb6 100644 --- a/mistral/templates/configmap-etc.yaml +++ b/mistral/templates/configmap-etc.yaml @@ -22,6 +22,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml index fd595c2d55..a150192009 100644 --- a/mistral/templates/job-db-init.yaml +++ b/mistral/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: mistral-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/mistral/mistral.conf diff --git a/mistral/templates/job-ks-endpoints.yaml b/mistral/templates/job-ks-endpoints.yaml index 7f43b08a58..3595c53550 100644 --- a/mistral/templates/job-ks-endpoints.yaml +++ b/mistral/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/mistral/templates/job-ks-service.yaml b/mistral/templates/job-ks-service.yaml index 04de18a594..8c14c3746c 100644 --- a/mistral/templates/job-ks-service.yaml +++ b/mistral/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/mistral/templates/job-ks-user.yaml b/mistral/templates/job-ks-user.yaml index bda79d5cb7..d8759d9ee0 100644 --- a/mistral/templates/job-ks-user.yaml +++ b/mistral/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "mistral-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "mistral" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.mistral_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/mistral/templates/secret-db.yaml b/mistral/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/mistral/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/mistral/templates/secret-keystone-admin.env.yaml b/mistral/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index b53c5817a6..0000000000 --- a/mistral/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: mistral-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} - diff --git a/mistral/templates/secret-keystone-user.env.yaml b/mistral/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 47f6103b5f..0000000000 --- a/mistral/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: mistral-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/mistral/templates/secret-keystone.yaml b/mistral/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/mistral/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/mistral/values.yaml b/mistral/values.yaml index a387b5bc7a..63faa4da97 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 engine: 1 @@ -56,26 +55,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "mistral-env-keystone-admin" - user: "mistral-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - mistral_user: "mistral" - mistral_user_domain: "default" - mistral_user_role: "admin" - mistral_password: "password" - mistral_project_name: "service" - mistral_project_domain: "default" - mistral_region_name: "RegionOne" - network: api: ingress: @@ -150,12 +129,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: mistral-keystone-admin + user: mistral-keystone-user + oslo_db: + admin: mistral-db-admin + user: mistral-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: mistral + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 7453379590..772c2f3d68 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -33,6 +33,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end }} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end }} diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml index 333f6ed0dd..b17261ab08 100644 --- a/neutron/templates/job-db-init.yaml +++ b/neutron/templates/job-db-init.yaml @@ -34,7 +34,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: neutron-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/neutron/neutron.conf diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml index d359ac9f87..e64583f5ec 100644 --- a/neutron/templates/job-ks-endpoints.yaml +++ b/neutron/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml index 10025ce037..0479b807b6 100644 --- a/neutron/templates/job-ks-service.yaml +++ b/neutron/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index e9a80ca531..7dd56e0463 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "neutron-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "neutron" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.neutron_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml index 5d7cd5c53f..4a9070141c 100644 --- a/neutron/templates/pod-rally-test.yaml +++ b/neutron/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_neutron_tests := .Values.mounts.neutron_tests.neutron_tests }} {{- $mounts_neutron_tests_init := .Values.mounts.neutron_tests.init_container }} @@ -32,7 +31,7 @@ spec: - name: {{.Release.Name}}-token-issue-test image: {{ .Values.images.test }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/neutron/templates/secret-db-root.env.yaml b/neutron/templates/secret-db-root.env.yaml deleted file mode 100644 index ccdccb7d85..0000000000 --- a/neutron/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: neutron-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/neutron/templates/secret-db.yaml b/neutron/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/neutron/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/neutron/templates/secret-keystone-admin.env.yaml b/neutron/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 3d1bb0b48d..0000000000 --- a/neutron/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: neutron-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/neutron/templates/secret-keystone-user.env.yaml b/neutron/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 111ebdb45e..0000000000 --- a/neutron/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: neutron-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.neutron_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.neutron_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.neutron_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.neutron_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.neutron_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.neutron_password | b64enc | indent 4 }} diff --git a/neutron/templates/secret-keystone.yaml b/neutron/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/neutron/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 88e97d0768..ba00367cbb 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -134,23 +134,6 @@ network: metadata: port: 8775 -keystone: - - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - neutron_user: "neutron" - neutron_user_domain: "default" - neutron_user_role: "admin" - neutron_password: "password" - neutron_project_name: "service" - neutron_project_domain: "default" - neutron_region_name: "RegionOne" - metadata: workers: 4 @@ -374,12 +357,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: neutron - password: password ml2_conf: override: append: @@ -488,6 +465,14 @@ conf: override: append: +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: neutron-keystone-admin + user: neutron-keystone-user + oslo_db: + admin: neutron-db-admin + user: neutron-db-user # typically overriden by environmental # values, but should include all endpoints @@ -548,6 +533,22 @@ endpoints: default: 6080 identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: neutron + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 391912ca71..18d7a7a06d 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index b2bf5b8e13..a915711b76 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_nova_bootstrap := .Values.mounts.nova_bootstrap.nova_bootstrap }} {{- $mounts_nova_bootstrap_init := .Values.mounts.nova_bootstrap.init_container }} @@ -45,7 +44,7 @@ spec: command: - /tmp/bootstrap.sh env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} volumeMounts: diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml index 228ce31da9..999ca334c8 100644 --- a/nova/templates/job-db-init.yaml +++ b/nova/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: nova-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/nova/nova.conf @@ -80,7 +80,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: nova-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/nova/nova.conf diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml index 68902ea2b8..5d02a01cd5 100644 --- a/nova/templates/job-ks-endpoints.yaml +++ b/nova/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml index 60dbaf78e2..4bf0662899 100644 --- a/nova/templates/job-ks-service.yaml +++ b/nova/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index 44de01b8a5..0e17dbcaaf 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "nova-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "nova" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.nova_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml index ef1a44591e..7ab4094525 100644 --- a/nova/templates/pod-rally-test.yaml +++ b/nova/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_nova_tests := .Values.mounts.nova_tests.nova_tests }} {{- $mounts_nova_tests_init := .Values.mounts.nova_tests.init_container }} @@ -32,7 +31,7 @@ spec: - name: {{.Release.Name}}-token-issue-test image: {{ .Values.images.test }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/nova/templates/secret-db-api.yaml b/nova/templates/secret-db-api.yaml new file mode 100644 index 0000000000..3702514281 --- /dev/null +++ b/nova/templates/secret-db-api.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/nova/templates/secret-db-root.env.yaml b/nova/templates/secret-db-root.env.yaml deleted file mode 100644 index e5cfa657c8..0000000000 --- a/nova/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: nova-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/nova/templates/secret-db.yaml b/nova/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/nova/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/nova/templates/secret-keystone-admin.env.yaml b/nova/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 126f7e01f8..0000000000 --- a/nova/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: nova-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/nova/templates/secret-keystone-user.env.yaml b/nova/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 26afb55a50..0000000000 --- a/nova/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: nova-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/nova/templates/secret-keystone.yaml b/nova/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/nova/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index 4579443f3c..51ec66e5df 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -143,15 +143,6 @@ network: port: 6080 targetPort: 6080 -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - nova_user_role: "admin" - ceph: enabled: false monitors: [] @@ -416,12 +407,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_name: service - project_domain_name: default - user_domain_name: default - username: nova - password: password libvirt: nova: @@ -448,6 +433,17 @@ conf: conf: api_paste_config: /etc/nova/api-paste.ini +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: nova-keystone-admin + user: nova-keystone-user + oslo_db: + admin: nova-db-admin + user: nova-db-user + oslo_db_api: + admin: nova-db-api-admin + user: nova-db-api-user # typically overriden by environmental # values, but should include all endpoints @@ -506,6 +502,22 @@ endpoints: default: 11211 identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: nova + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml index bec615d3a4..4a3482a116 100644 --- a/senlin/templates/configmap-etc.yaml +++ b/senlin/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml index 4b1f8b2a18..a1cdfcd576 100644 --- a/senlin/templates/job-db-init.yaml +++ b/senlin/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: senlin-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/senlin/senlin.conf diff --git a/senlin/templates/job-ks-endpoints.yaml b/senlin/templates/job-ks-endpoints.yaml index 5d307d92da..bafe2d6057 100644 --- a/senlin/templates/job-ks-endpoints.yaml +++ b/senlin/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/senlin/templates/job-ks-service.yaml b/senlin/templates/job-ks-service.yaml index cf345a2c88..016d026ef3 100644 --- a/senlin/templates/job-ks-service.yaml +++ b/senlin/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/senlin/templates/job-ks-user.yaml b/senlin/templates/job-ks-user.yaml index 2d1a3655e0..2f2be1d690 100644 --- a/senlin/templates/job-ks-user.yaml +++ b/senlin/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "senlin-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "senlin-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "senlin" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.senlin_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/senlin/templates/secret-db-root.env.yaml b/senlin/templates/secret-db-root.env.yaml deleted file mode 100644 index 020007c025..0000000000 --- a/senlin/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: senlin-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/senlin/templates/secret-db.yaml b/senlin/templates/secret-db.yaml new file mode 100644 index 0000000000..f8c9dffe58 --- /dev/null +++ b/senlin/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/senlin/templates/secret-keystone-admin.env.yaml b/senlin/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f795623847..0000000000 --- a/senlin/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/senlin/templates/secret-keystone-user.env.yaml b/senlin/templates/secret-keystone-user.env.yaml deleted file mode 100644 index a11f50c37d..0000000000 --- a/senlin/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/senlin/templates/secret-keystone.yaml b/senlin/templates/secret-keystone.yaml new file mode 100644 index 0000000000..2507c3b3b8 --- /dev/null +++ b/senlin/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/senlin/values.yaml b/senlin/values.yaml index 1520e5477f..1bdcf0c497 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 engine: 1 @@ -52,21 +51,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "senlin-env-keystone-admin" - user: "senlin-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - senlin_user_role: "admin" - - conf: paste: override: @@ -82,12 +66,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: senlin - password: password senlin_api: senlin: config: @@ -147,12 +125,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: senlin-keystone-admin + user: senlin-keystone-user + oslo_db: + admin: senlin-db-admin + user: senlin-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: senlin + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone