From 27123129dbb2242b9fc3b1d4e4f6ae53a4a03706 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Mon, 29 Sep 2025 12:10:22 -0500 Subject: [PATCH] feat(nova): create a way for users to provide configs in nova.conf.d Allow users to provide additional projected volumes to be mounted into the various deployments, statefulsets, and jobs that the nova chart has in the /etc/nova/nova.conf.d/ path. This allows for users to provide service account or database secrets via different operators as well as provide ways to use the chart to define common deployments while being able to have site specific overrides. Change-Id: Ic67f07f2add9267136a0b6130af87cbb36ea6680 Signed-off-by: Doug Goldstein --- .../cron-job-archive-deleted-rows.yaml | 9 +++++++-- nova/templates/cron-job-service-cleaner.yaml | 9 +++++++-- nova/templates/daemonset-compute.yaml | 9 +++++++-- nova/templates/deployment-api-metadata.yaml | 9 +++++++-- nova/templates/deployment-api-osapi.yaml | 9 +++++++-- nova/templates/deployment-conductor.yaml | 9 +++++++-- nova/templates/deployment-novncproxy.yaml | 9 +++++++-- nova/templates/deployment-scheduler.yaml | 9 +++++++-- nova/templates/deployment-serialproxy.yaml | 9 +++++++-- nova/templates/deployment-spiceproxy.yaml | 9 +++++++-- nova/templates/job-cell-setup.yaml | 9 +++++++-- .../templates/statefulset-compute-ironic.yaml | 9 +++++++-- nova/values.yaml | 19 +++++++++++++++++++ releasenotes/notes/nova-fc00bda9bb69988e.yaml | 7 +++++++ 14 files changed, 110 insertions(+), 24 deletions(-) create mode 100644 releasenotes/notes/nova-fc00bda9bb69988e.yaml diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml index 9051fabf2c..55e61f4eb8 100644 --- a/nova/templates/cron-job-archive-deleted-rows.yaml +++ b/nova/templates/cron-job-archive-deleted-rows.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- $serviceAccountName := "nova-archive-deleted-rows-cron" }} {{ tuple $envAll "archive_deleted_rows" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $etcSources := .Values.pod.etcSources.nova_archive_deleted_rows }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} --- apiVersion: batch/v1 kind: CronJob @@ -96,11 +100,12 @@ spec: - name: archive-deleted-rows-conf secret: secretName: nova-etc +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 18 }} +{{ end }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml index 99d0339a64..01b3393a9e 100644 --- a/nova/templates/cron-job-service-cleaner.yaml +++ b/nova/templates/cron-job-service-cleaner.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- $serviceAccountName := "nova-service-cleaner" }} {{ tuple $envAll "service_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $etcSources := .Values.pod.etcSources.nova_service_cleaner }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} --- apiVersion: batch/v1 kind: CronJob @@ -91,10 +95,11 @@ spec: configMap: name: nova-bin defaultMode: 0555 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 18 }} +{{ end }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 5d266d07a3..4cc2cc5f86 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -71,6 +71,10 @@ exec: {{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }} {{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_compute }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} --- apiVersion: apps/v1 @@ -521,11 +525,12 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} {{- if .Values.network.ssh.enabled }} - name: nova-ssh secret: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 52a3ff6b73..8d20239b9d 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -31,6 +31,10 @@ httpGet: {{- $mounts_nova_api_metadata := .Values.pod.mounts.nova_api_metadata.nova_api_metadata }} {{- $mounts_nova_api_metadata_init := .Values.pod.mounts.nova_api_metadata.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_api_metadata }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-api-metadata" }} {{ tuple $envAll "api_metadata" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -221,11 +225,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: pod-shared emptyDir: {} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 7c273172d4..6ce6b09125 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -31,6 +31,10 @@ httpGet: {{- $mounts_nova_api_osapi := .Values.pod.mounts.nova_api_osapi.nova_api_osapi }} {{- $mounts_nova_api_osapi_init := .Values.pod.mounts.nova_api_osapi.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_api_osapi }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-api-osapi" }} {{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -169,11 +173,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 5ce7d8e1e7..22a5777b52 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -44,6 +44,10 @@ exec: {{- $mounts_nova_conductor := .Values.pod.mounts.nova_conductor.nova_conductor }} {{- $mounts_nova_conductor_init := .Values.pod.mounts.nova_conductor.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_conductor }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-conductor" }} {{ tuple $envAll "conductor" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -147,11 +151,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 51864e0142..4de2e9ae75 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -27,6 +27,10 @@ tcpSocket: {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }} {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }} +{{- $etcSources := .Values.pod.etcSources.nova_novncproxy }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }} @@ -174,11 +178,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: pod-usr-share-novnc emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index ea60b75c62..ddce194a3d 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -44,6 +44,10 @@ exec: {{- $mounts_nova_scheduler := .Values.pod.mounts.nova_scheduler.nova_scheduler }} {{- $mounts_nova_scheduler_init := .Values.pod.mounts.nova_scheduler.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_scheduler }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-scheduler" }} {{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -147,11 +151,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} diff --git a/nova/templates/deployment-serialproxy.yaml b/nova/templates/deployment-serialproxy.yaml index 22adb9076b..d600b993d5 100644 --- a/nova/templates/deployment-serialproxy.yaml +++ b/nova/templates/deployment-serialproxy.yaml @@ -27,6 +27,10 @@ tcpSocket: {{- $mounts_nova_serialproxy := .Values.pod.mounts.nova_serialproxy.nova_serialproxy }} {{- $mounts_nova_serialproxy_init := .Values.pod.mounts.nova_serialproxy.init_serialproxy }} +{{- $etcSources := .Values.pod.etcSources.nova_serialproxy }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-serialproxy" }} {{ tuple $envAll "serialproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -152,11 +156,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: pod-usr-share-serial emptyDir: {} - name: pod-shared diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml index 975148443f..5bb4dd2317 100644 --- a/nova/templates/deployment-spiceproxy.yaml +++ b/nova/templates/deployment-spiceproxy.yaml @@ -27,6 +27,10 @@ tcpSocket: {{- $mounts_nova_spiceproxy := .Values.pod.mounts.nova_spiceproxy.nova_spiceproxy }} {{- $mounts_nova_spiceproxy_init := .Values.pod.mounts.nova_spiceproxy.init_spiceproxy }} +{{- $etcSources := .Values.pod.etcSources.nova_spiceproxy }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-spiceproxy" }} {{ tuple $envAll "spiceproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -160,11 +164,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: pod-usr-share-spice-html5 emptyDir: {} - name: pod-shared diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index a2abeacab7..d5d9f28bca 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- $serviceAccountName := "nova-cell-setup" }} {{ tuple $envAll "cell_setup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $etcSources := .Values.pod.etcSources.nova_cell_setup }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} --- apiVersion: batch/v1 kind: Job @@ -127,11 +131,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: nova-bin configMap: name: nova-bin diff --git a/nova/templates/statefulset-compute-ironic.yaml b/nova/templates/statefulset-compute-ironic.yaml index 4c22627f96..d2df22d7e8 100644 --- a/nova/templates/statefulset-compute-ironic.yaml +++ b/nova/templates/statefulset-compute-ironic.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- $mounts_nova_compute_ironic := .Values.pod.mounts.nova_compute_ironic.nova_compute_ironic }} {{- $mounts_nova_compute_ironic_init := .Values.pod.mounts.nova_compute_ironic.init_container }} +{{- $etcSources := .Values.pod.etcSources.nova_compute_ironic }} +{{- if eq .Values.manifests.secret_ks_etc true }} +{{- $etcSources = append $etcSources (dict "secret" (dict "name" "nova-ks-etc")) }} +{{- end }} {{- $serviceAccountName := "nova-compute-ironic" }} {{ tuple $envAll "compute_ironic" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -109,11 +113,12 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- if $etcSources }} - name: nova-etc-snippets projected: sources: - - secret: - name: nova-ks-etc +{{ toYaml $etcSources | indent 14 }} +{{ end }} - name: varlibironic hostPath: path: /var/lib/ironic diff --git a/nova/values.yaml b/nova/values.yaml index 913fbc8872..b409f016e3 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2386,6 +2386,25 @@ pod: - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule + # -- This allows users to add Kubernetes Projected Volumes to be mounted at /etc/nova/nova.conf.d/ + ## This is a list of projected volume source objects for each deployment/statefulset/job + ## https://kubernetes.io/docs/concepts/storage/projected-volumes/ + etcSources: + nova_compute: [] + nova_compute_ironic: [] + nova_api_metadata: [] + nova_api_osapi: [] + nova_conductor: [] + nova_scheduler: [] + nova_bootstrap: [] + nova_tests: [] + nova_novncproxy: [] + nova_serialproxy: [] + nova_spiceproxy: [] + nova_db_sync: [] + nova_archive_deleted_rows: [] + nova_service_cleaner: [] + nova_cell_setup: [] mounts: nova_compute: init_container: null diff --git a/releasenotes/notes/nova-fc00bda9bb69988e.yaml b/releasenotes/notes/nova-fc00bda9bb69988e.yaml new file mode 100644 index 0000000000..fc3a7b2bdf --- /dev/null +++ b/releasenotes/notes/nova-fc00bda9bb69988e.yaml @@ -0,0 +1,7 @@ +--- +nova: + - | + Allow users to add additional sources to the Projected Volume that is mounted + at /etc/nova/nova.conf.d/ so they may more easily override configs or provide + additional configs for the various services in the chart. +...