diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 1a20ea8414..45dc2f621d 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -54,22 +54,22 @@ limitations under the License. {{- end }} {{- if empty $envAll.Values.conf.cinder.nova.region_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.cinder.region_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.project_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.username -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.password -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}} {{- end -}} {{- if empty .Values.conf.cinder.database.connection -}} @@ -97,19 +97,19 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.swift.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.swift.username -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.swift.password -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.swift.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.swift.project_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}} {{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}} @@ -125,22 +125,22 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.region_name -}} -{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}} +{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.project_name -}} -{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.username -}} -{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.password -}} -{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}} {{- end -}} {{- end -}} diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 78f48cfc8f..b8f5954ea5 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} +{{- $serviceUsers := (tuple "cinder" "nova") -}} +{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }} +{{- $serviceUsers = append $serviceUsers "swift" -}} +{{- end }} +{{- if .Values.conf.cinder.service_user.send_service_user_token -}} +{{- $serviceUsers = append $serviceUsers "service" -}} +{{- end }} +{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} diff --git a/cinder/templates/secret-keystone.yaml b/cinder/templates/secret-keystone.yaml index de355d0dcf..d827222b7b 100644 --- a/cinder/templates/secret-keystone.yaml +++ b/cinder/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "cinder" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/cinder/values.yaml b/cinder/values.yaml index ec8ec6a1cb..757cd7a0e6 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1243,6 +1243,9 @@ secrets: identity: admin: cinder-keystone-admin cinder: cinder-keystone-user + nova: cinder-keystone-nova + swift: cinder-keystone-swift + service: cinder-keystone-service test: cinder-keystone-test oslo_db: admin: cinder-db-admin @@ -1312,6 +1315,30 @@ endpoints: project_name: service user_domain_name: service project_domain_name: service + nova: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_nova + password: password + user_domain_name: service + project_domain_name: service + swift: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_swift + password: password + user_domain_name: service + project_domain_name: service + service: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_service_user + password: password + user_domain_name: service + project_domain_name: service test: role: admin region_name: RegionOne diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index 563ba7baf1..a80b0a2c7b 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} +{{- $serviceUsers := (tuple "neutron" "nova" "placement") -}} +{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}} +{{- $serviceUsers = append $serviceUsers "designate" -}} +{{- end -}} +{{- if (has "baremetal" .Values.network.backend) -}} +{{- $serviceUsers = append $serviceUsers "ironic" -}} +{{- end -}} +{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} diff --git a/neutron/templates/secret-keystone.yaml b/neutron/templates/secret-keystone.yaml index c285bdd1e7..d827222b7b 100644 --- a/neutron/templates/secret-keystone.yaml +++ b/neutron/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "neutron" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/neutron/values.yaml b/neutron/values.yaml index 2b01d0f3ad..1aa391fb2a 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2316,6 +2316,10 @@ secrets: identity: admin: neutron-keystone-admin neutron: neutron-keystone-user + nova: neutron-keystone-nova + placement: neutron-keystone-placement + designate: neutron-keystone-designate + ironic: neutron-keystone-ironic test: neutron-keystone-test oslo_db: admin: neutron-db-admin @@ -2477,30 +2481,34 @@ endpoints: user_domain_name: service project_domain_name: service nova: + role: admin,service region_name: RegionOne project_name: service - username: nova + username: neutron_nova password: password user_domain_name: service project_domain_name: service placement: + role: admin,service region_name: RegionOne project_name: service - username: placement + username: neutron_placement password: password user_domain_name: service project_domain_name: service designate: + role: admin,service region_name: RegionOne project_name: service - username: designate + username: neutron_designate password: password user_domain_name: service project_domain_name: service ironic: + role: admin,service region_name: RegionOne project_name: service - username: ironic + username: neutron_ironic password: password user_domain_name: service project_domain_name: service diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 96617dbdd4..41fa28c5c9 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -61,22 +61,22 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.region_name -}} -{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}} +{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.project_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}} +{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}} +{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}} +{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.username -}} -{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}} +{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.password -}} -{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}} +{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}} {{- end -}} {{- end -}} diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index 7d0f01975b..1d58b7a59a 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -18,7 +18,11 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} +{{- $serviceUsers := (tuple "nova" "neutron" "placement" "ironic" "cinder") -}} +{{- if .Values.conf.nova.service_user.send_service_user_token }} +{{- $serviceUsers = append $serviceUsers "service" -}} +{{- end }} +{{- $ksUserJob := dict "envAll" . "serviceName" "nova" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- end -}} diff --git a/nova/templates/secret-keystone.yaml b/nova/templates/secret-keystone.yaml index 2d6560c53e..d827222b7b 100644 --- a/nova/templates/secret-keystone.yaml +++ b/nova/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "nova" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/nova/values.yaml b/nova/values.yaml index 45613eb426..cabaf72ac3 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1641,6 +1641,11 @@ secrets: identity: admin: nova-keystone-admin nova: nova-keystone-user + neutron: nova-keystone-neutron + placement: nova-keystone-placement + cinder: nova-keystone-cinder + ironic: nova-keystone-ironic + service: nova-keystone-service test: nova-keystone-test oslo_db: admin: nova-db-admin @@ -1824,30 +1829,40 @@ endpoints: project_name: service user_domain_name: service project_domain_name: service + service: + role: admin,service + region_name: RegionOne + username: nova_service_user + password: password + project_name: service + user_domain_name: service + project_domain_name: service # NOTE(portdirect): the neutron user is not managed by the nova chart # these values should match those set in the neutron chart. neutron: + role: admin,service region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service - username: neutron + username: nova_neutron password: password # NOTE(portdirect): the ironic user is not managed by the nova chart # these values should match those set in the ironic chart. ironic: + role: admin,service auth_type: password auth_version: v3 region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service - username: ironic + username: nova_ironic password: password placement: - role: admin + role: admin,service region_name: RegionOne - username: placement + username: nova_placement password: password project_name: service user_domain_name: service @@ -1855,7 +1870,7 @@ endpoints: cinder: role: admin,service region_name: RegionOne - username: cinder + username: nova_cinder password: password project_name: service user_domain_name: service diff --git a/releasenotes/notes/neutron-2d4db97bc8900286.yaml b/releasenotes/notes/neutron-2d4db97bc8900286.yaml new file mode 100644 index 0000000000..ab56697a18 --- /dev/null +++ b/releasenotes/notes/neutron-2d4db97bc8900286.yaml @@ -0,0 +1,6 @@ +--- +neutron: + - | + Create multiple Keystone service accounts to access to + other Openstack APIs +...