From bfbf0c3b6db5824394bfec3f25887f89e5730fe0 Mon Sep 17 00:00:00 2001 From: Vladimir Kozhukalov Date: Wed, 30 Apr 2025 18:38:18 -0500 Subject: [PATCH] Charts to use their own service accounts Currently charts create one user that is used to get access to Keystone API to check auth tokens and other services use this user to get access to the service managed by this particular chart. So chart values must be aligned with each other. For example when we deploy Neutron we use nova service account managed by the Nova chart. The spec [1] suggests charts by default to create their own service accounts to get access to other APIs instead of using service accounts managed by other charts. [1] I12eb9341d5ff633ad4435f4938bf8c946ea388ee This commit updates the following charts - Neutron - Nova - Cinder Depends-On: I12eb9341d5ff633ad4435f4938bf8c946ea388ee Change-Id: Ic059b9bcd89084b0ccd1102ba57db7d3d1130af7 --- cinder/templates/configmap-etc.yaml | 34 +++++++++---------- cinder/templates/job-ks-user.yaml | 9 ++++- cinder/templates/secret-keystone.yaml | 2 +- cinder/values.yaml | 27 +++++++++++++++ neutron/templates/deployment-server.yaml | 2 ++ neutron/templates/job-ks-user.yaml | 9 ++++- neutron/templates/secret-keystone.yaml | 2 +- neutron/values.yaml | 16 ++++++--- nova/templates/configmap-etc.yaml | 12 +++---- nova/templates/job-ks-user.yaml | 6 +++- nova/templates/secret-keystone.yaml | 2 +- nova/values.yaml | 25 +++++++++++--- .../notes/neutron-2d4db97bc8900286.yaml | 6 ++++ 13 files changed, 114 insertions(+), 38 deletions(-) create mode 100644 releasenotes/notes/neutron-2d4db97bc8900286.yaml diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 1a20ea8414..45dc2f621d 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -54,22 +54,22 @@ limitations under the License. {{- end }} {{- if empty $envAll.Values.conf.cinder.nova.region_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.cinder.region_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.project_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.username -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}} {{- end -}} {{- if empty $envAll.Values.conf.cinder.nova.password -}} -{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}} {{- end -}} {{- if empty .Values.conf.cinder.database.connection -}} @@ -97,19 +97,19 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.swift.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.swift.username -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.swift.password -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.swift.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}} -{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.swift.project_name -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}} {{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}} @@ -125,22 +125,22 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.region_name -}} -{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}} +{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.project_name -}} -{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}} +{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}} +{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}} +{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.username -}} -{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}} +{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}} {{- end -}} {{- if empty .Values.conf.cinder.service_user.password -}} -{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}} +{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}} {{- end -}} {{- end -}} diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 78f48cfc8f..b8f5954ea5 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} +{{- $serviceUsers := (tuple "cinder" "nova") -}} +{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }} +{{- $serviceUsers = append $serviceUsers "swift" -}} +{{- end }} +{{- if .Values.conf.cinder.service_user.send_service_user_token -}} +{{- $serviceUsers = append $serviceUsers "service" -}} +{{- end }} +{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} diff --git a/cinder/templates/secret-keystone.yaml b/cinder/templates/secret-keystone.yaml index de355d0dcf..d827222b7b 100644 --- a/cinder/templates/secret-keystone.yaml +++ b/cinder/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "cinder" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/cinder/values.yaml b/cinder/values.yaml index 6b335be17d..f620aa8150 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1183,6 +1183,9 @@ secrets: identity: admin: cinder-keystone-admin cinder: cinder-keystone-user + nova: cinder-keystone-nova + swift: cinder-keystone-swift + service: cinder-keystone-service test: cinder-keystone-test oslo_db: admin: cinder-db-admin @@ -1252,6 +1255,30 @@ endpoints: project_name: service user_domain_name: service project_domain_name: service + nova: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_nova + password: password + user_domain_name: service + project_domain_name: service + swift: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_swift + password: password + user_domain_name: service + project_domain_name: service + service: + role: admin,service + region_name: RegionOne + project_name: service + username: cinder_service_user + password: password + user_domain_name: service + project_domain_name: service test: role: admin region_name: RegionOne diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index b6b634d238..b574b9597a 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -184,9 +184,11 @@ spec: command: - /tmp/neutron-server.sh - stop +{{- if not $envAll.Values.manifests.certificates }} ports: - name: q-api containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index 563ba7baf1..a80b0a2c7b 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} +{{- $serviceUsers := (tuple "neutron" "nova" "placement") -}} +{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}} +{{- $serviceUsers = append $serviceUsers "designate" -}} +{{- end -}} +{{- if (has "baremetal" .Values.network.backend) -}} +{{- $serviceUsers = append $serviceUsers "ironic" -}} +{{- end -}} +{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} diff --git a/neutron/templates/secret-keystone.yaml b/neutron/templates/secret-keystone.yaml index c285bdd1e7..d827222b7b 100644 --- a/neutron/templates/secret-keystone.yaml +++ b/neutron/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "neutron" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/neutron/values.yaml b/neutron/values.yaml index 1691e00498..5b74789f08 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2291,6 +2291,10 @@ secrets: identity: admin: neutron-keystone-admin neutron: neutron-keystone-user + nova: neutron-keystone-nova + placement: neutron-keystone-placement + designate: neutron-keystone-designate + ironic: neutron-keystone-ironic test: neutron-keystone-test oslo_db: admin: neutron-db-admin @@ -2452,30 +2456,34 @@ endpoints: user_domain_name: service project_domain_name: service nova: + role: admin,service region_name: RegionOne project_name: service - username: nova + username: neutron_nova password: password user_domain_name: service project_domain_name: service placement: + role: admin,service region_name: RegionOne project_name: service - username: placement + username: neutron_placement password: password user_domain_name: service project_domain_name: service designate: + role: admin,service region_name: RegionOne project_name: service - username: designate + username: neutron_designate password: password user_domain_name: service project_domain_name: service ironic: + role: admin,service region_name: RegionOne project_name: service - username: ironic + username: neutron_ironic password: password user_domain_name: service project_domain_name: service diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 96617dbdd4..41fa28c5c9 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -61,22 +61,22 @@ limitations under the License. {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.region_name -}} -{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}} +{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.project_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}} +{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.project_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}} +{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.user_domain_name -}} -{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}} +{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.username -}} -{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}} +{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}} {{- end -}} {{- if empty .Values.conf.nova.service_user.password -}} -{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}} +{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}} {{- end -}} {{- end -}} diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index 7d0f01975b..1d58b7a59a 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -18,7 +18,11 @@ helm.sh/hook-weight: "-1" {{- end }} {{- if .Values.manifests.job_ks_user }} -{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} +{{- $serviceUsers := (tuple "nova" "neutron" "placement" "ironic" "cinder") -}} +{{- if .Values.conf.nova.service_user.send_service_user_token }} +{{- $serviceUsers = append $serviceUsers "service" -}} +{{- end }} +{{- $ksUserJob := dict "envAll" . "serviceName" "nova" "serviceUsers" $serviceUsers -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- end -}} diff --git a/nova/templates/secret-keystone.yaml b/nova/templates/secret-keystone.yaml index 2d6560c53e..d827222b7b 100644 --- a/nova/templates/secret-keystone.yaml +++ b/nova/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "nova" "test" }} +{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/nova/values.yaml b/nova/values.yaml index 45613eb426..cabaf72ac3 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1641,6 +1641,11 @@ secrets: identity: admin: nova-keystone-admin nova: nova-keystone-user + neutron: nova-keystone-neutron + placement: nova-keystone-placement + cinder: nova-keystone-cinder + ironic: nova-keystone-ironic + service: nova-keystone-service test: nova-keystone-test oslo_db: admin: nova-db-admin @@ -1824,30 +1829,40 @@ endpoints: project_name: service user_domain_name: service project_domain_name: service + service: + role: admin,service + region_name: RegionOne + username: nova_service_user + password: password + project_name: service + user_domain_name: service + project_domain_name: service # NOTE(portdirect): the neutron user is not managed by the nova chart # these values should match those set in the neutron chart. neutron: + role: admin,service region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service - username: neutron + username: nova_neutron password: password # NOTE(portdirect): the ironic user is not managed by the nova chart # these values should match those set in the ironic chart. ironic: + role: admin,service auth_type: password auth_version: v3 region_name: RegionOne project_name: service user_domain_name: service project_domain_name: service - username: ironic + username: nova_ironic password: password placement: - role: admin + role: admin,service region_name: RegionOne - username: placement + username: nova_placement password: password project_name: service user_domain_name: service @@ -1855,7 +1870,7 @@ endpoints: cinder: role: admin,service region_name: RegionOne - username: cinder + username: nova_cinder password: password project_name: service user_domain_name: service diff --git a/releasenotes/notes/neutron-2d4db97bc8900286.yaml b/releasenotes/notes/neutron-2d4db97bc8900286.yaml new file mode 100644 index 0000000000..ab56697a18 --- /dev/null +++ b/releasenotes/notes/neutron-2d4db97bc8900286.yaml @@ -0,0 +1,6 @@ +--- +neutron: + - | + Create multiple Keystone service accounts to access to + other Openstack APIs +...