Merge "fix(log): reduces chattiness in keystone log"

2021-10-21 09:11:33 +00:00 · 2021-10-21 09:11:33 +00:00 · b48929a4fa
parent 3cdf7be017 73531436e9
commit b48929a4fa
4 changed files with 28 additions and 2 deletions
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.14
+version: 0.2.15
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -61,6 +61,23 @@ spec:
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
      initContainers:
 {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: link-keys
+          image: {{ .Values.images.tags.keystone_api }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - set -xe;
+              find /etc/keystone/mounted-keys -type l -exec ln -sfn {} {{ .Values.conf.keystone.fernet_tokens.key_repository }} \; ;
+              chmod o-wrx {{ .Values.conf.keystone.fernet_tokens.key_repository }} ;
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
      containers:
        - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -143,6 +160,8 @@ spec:
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
            - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
 {{- end }}
            - name: keystone-credential-keys
@ -171,7 +190,7 @@ spec:
        - name: keystone-etc
          secret:
            secretName: keystone-etc
-            defaultMode: 0444
+            defaultMode: 0440
        - name: keystone-bin
          configMap:
            name: keystone-bin
@ -182,9 +201,12 @@ spec:
            secretName: keystone-ldap-tls
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: post-keystone-fernet-keys
+          emptyDir: {}
        - name: keystone-fernet-keys
          secret:
            secretName: keystone-fernet-keys
+            defaultMode: 0440
 {{- end }}
        - name: keystone-credential-keys
          secret:
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -163,10 +163,13 @@ pod:
    keystone:
      pod:
        runAsUser: 42424
+        fsGroup: 42424
      container:
        keystone_api:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
+          runAsGroup: 42424
+          fsGroup: 42424
    credential_setup:
      pod:
        runAsUser: 42424
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@ -30,4 +30,5 @@ keystone:
  - 0.2.12 Helm 3 - Fix Job Labels
  - 0.2.13 Helm 3 - Fix more Job Labels
  - 0.2.14 Update htk requirements repo
+  - 0.2.15 Reduce log chattiness
 ...