cinder: split service accounts from cinder.conf

This change continues the work defined in this spec. [1]

[1] https://docs.openstack.org/openstack-helm/latest/specs/2025.2/own_service_accounts.html

Change-Id: If1e6cc447719651fd9fd62d45778049b8457111d
Signed-off-by: Mathieu Gagné <mgagne@calavera.ca>

cinder/templates/configmap-etc.yaml

@@ -23,25 +23,6 @@ limitations under the License.
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken "auth_url" -}}
 {{- end -}}
 
-{{- if empty .Values.conf.cinder.keystone_authtoken.region_name -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.keystone_authtoken.project_name -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.keystone_authtoken.project_domain_name -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.keystone_authtoken.user_domain_name -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.keystone_authtoken.username -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "username" .Values.endpoints.identity.auth.cinder.username -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.keystone_authtoken.password -}}
-{{- $_ := set .Values.conf.cinder.keystone_authtoken "password" .Values.endpoints.identity.auth.cinder.password -}}
-{{- end -}}
-
 {{- if empty .Values.conf.cinder.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
@@ -53,25 +34,6 @@ limitations under the License.
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set $envAll.Values.conf.cinder.nova "auth_url" -}}
 {{- end }}
 
-{{- if empty $envAll.Values.conf.cinder.nova.region_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
-{{- end -}}
-{{- if empty $envAll.Values.conf.cinder.nova.project_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
-{{- end -}}
-{{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
-{{- end -}}
-{{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
-{{- end -}}
-{{- if empty $envAll.Values.conf.cinder.nova.username -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
-{{- end -}}
-{{- if empty $envAll.Values.conf.cinder.nova.password -}}
-{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
-{{- end -}}
-
 {{- if empty .Values.conf.cinder.database.connection -}}
 {{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
 {{- if .Values.manifests.certificates -}}
@@ -124,24 +86,6 @@ limitations under the License.
 {{- if empty .Values.conf.cinder.service_user.auth_url -}}
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
 {{- end -}}
-{{- if empty .Values.conf.cinder.service_user.region_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.service_user.project_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
-{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.service_user.username -}}
-{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}}
-{{- end -}}
-{{- if empty .Values.conf.cinder.service_user.password -}}
-{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}}
-{{- end -}}
 {{- end -}}
 
 {{- if empty .Values.conf.cinder_api_uwsgi.uwsgi.processes -}}

cinder/templates/cron-job-cinder-db-purge.yaml

@@ -17,11 +17,13 @@ limitations under the License.
 
 {{- $mounts_cinder_db_purge := .Values.pod.mounts.cinder_db_purge.cinder_db_purge }}
 {{- $mounts_cinder_db_purge_init := .Values.pod.mounts.cinder_db_purge.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_db_purge }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-db-purge" }}
 {{ tuple $envAll "db_purge" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
-
-{{- $etcSources := .Values.pod.etcSources.cinder_db_purge }}
 ---
 apiVersion: batch/v1
 kind: CronJob

cinder/templates/cron-job-cinder-volume-usage-audit.yaml

@@ -17,11 +17,13 @@ limitations under the License.
 
 {{- $mounts_cinder_volume_usage_audit := .Values.pod.mounts.cinder_volume_usage_audit.cinder_volume_usage_audit }}
 {{- $mounts_cinder_volume_usage_audit_init := .Values.pod.mounts.cinder_volume_usage_audit.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_volume_usage_audit }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-volume-usage-audit" }}
 {{ tuple $envAll "volume_usage_audit" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
-
-{{- $etcSources := .Values.pod.etcSources.cinder_volume_usage_audit }}
 ---
 apiVersion: batch/v1
 kind: CronJob

cinder/templates/deployment-api.yaml

@@ -31,11 +31,14 @@ httpGet:
 
 {{- $mounts_cinder_api := .Values.pod.mounts.cinder_api.cinder_api }}
 {{- $mounts_cinder_api_init := .Values.pod.mounts.cinder_api.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_api }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-api" }}
 {{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 
-{{- $etcSources := .Values.pod.etcSources.cinder_api }}
 ---
 apiVersion: apps/v1
 kind: Deployment

cinder/templates/deployment-backup.yaml

@@ -19,11 +19,13 @@ limitations under the License.
 
 {{- $mounts_cinder_backup := .Values.pod.mounts.cinder_backup.cinder_backup }}
 {{- $mounts_cinder_backup_init := .Values.pod.mounts.cinder_backup.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_backup }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-backup" }}
 {{ tuple $envAll "backup" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
-
-{{- $etcSources := .Values.pod.etcSources.cinder_backup }}
 ---
 apiVersion: apps/v1
 kind: Deployment

cinder/templates/deployment-scheduler.yaml

@@ -17,11 +17,13 @@ limitations under the License.
 
 {{- $mounts_cinder_scheduler := .Values.pod.mounts.cinder_scheduler.cinder_scheduler }}
 {{- $mounts_cinder_scheduler_init := .Values.pod.mounts.cinder_scheduler.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_scheduler }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-scheduler" }}
 {{ tuple $envAll "scheduler" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
-
-{{- $etcSources := .Values.pod.etcSources.cinder_scheduler }}
 ---
 apiVersion: apps/v1
 kind: Deployment

cinder/templates/deployment-volume.yaml

@@ -19,11 +19,13 @@ limitations under the License.
 
 {{- $mounts_cinder_volume := .Values.pod.mounts.cinder_volume.cinder_volume }}
 {{- $mounts_cinder_volume_init := .Values.pod.mounts.cinder_volume.init_container }}
+{{- $etcSources := .Values.pod.etcSources.cinder_volume }}
+{{- if eq .Values.manifests.secret_ks_etc true }}
+{{- $etcSources = append $etcSources (dict "secret" (dict "name" "cinder-ks-etc")) }}
+{{- end }}
 
 {{- $serviceAccountName := "cinder-volume" }}
 {{ tuple $envAll "volume" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
-
-{{- $etcSources := .Values.pod.etcSources.cinder_volume }}
 ---
 apiVersion: apps/v1
 kind: Deployment

cinder/templates/secret-ks-etc.yaml

@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ks_etc }}
+{{- $envAll := . -}}
+{{/* the endpoints.identity.auth sections with the oslo conf sections they get rendered to */}}
+{{- $ksUsers := dict
+  "cinder" "keystone_authtoken"
+  "nova" "nova"
+-}}
+{{- if .Values.conf.cinder.service_user.send_service_user_token }}
+{{- $_ := set $ksUsers "service" "service_user" -}}
+{{- end }}
+{{ dict
+  "envAll" $envAll
+  "serviceName" "cinder"
+  "serviceUserSections" $ksUsers
+  | include "helm-toolkit.manifests.secret_ks_etc"
+}}
+{{- end }}

cinder/values.yaml

@@ -1611,6 +1611,7 @@ manifests:
   secret_db: true
   secret_ingress_tls: true
   secret_keystone: true
+  secret_ks_etc: true
   secret_rabbitmq: true
   secret_registry: true
   service_api: true

releasenotes/notes/cinder-ded5ec20ef58ac93.yaml

@@ -0,0 +1,8 @@
+---
+cinder:
+  - |
+    Split out the OpenStack service account definitions from cinder.conf and into
+    config snippets which are loaded at /etc/cinder/cinder.d/, which is automatically
+    loaded by OSLO when loading the main cinder.conf. This makes it easier for users
+    to use the regular config generation while supplying credentials out of band.
+...