openstack/openstack-helm
Code Issues Proposed changes

Merge "Charts to use their own service accounts"

Browse Source
This commit is contained in:
Zuul
2025-06-16 19:17:21 +00:00
committed by Gerrit Code Review
parent 3225ad74a6 bfbf0c3b6d
commit da9007381b
12 changed files with 112 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
cinder/templates/configmap-etc.yaml
View File

@@ -54,22 +54,22 @@ limitations under the License.
{{- end }} {{- end }}
{{- if empty $envAll.Values.conf.cinder.nova.region_name -}} {{- if empty $envAll.Values.conf.cinder.nova.region_name -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.cinder.region_name -}} {{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
{{- end -}} {{- end -}}
{{- if empty $envAll.Values.conf.cinder.nova.project_name -}} {{- if empty $envAll.Values.conf.cinder.nova.project_name -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.cinder.project_name -}} {{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
{{- end -}} {{- end -}}
{{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}} {{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.cinder.project_domain_name -}} {{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}} {{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.cinder.user_domain_name -}} {{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty $envAll.Values.conf.cinder.nova.username -}} {{- if empty $envAll.Values.conf.cinder.nova.username -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.cinder.username -}} {{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
{{- end -}} {{- end -}}
{{- if empty $envAll.Values.conf.cinder.nova.password -}} {{- if empty $envAll.Values.conf.cinder.nova.password -}}
{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.cinder.password -}} {{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.database.connection -}} {{- if empty .Values.conf.cinder.database.connection -}}
@@ -97,19 +97,19 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}} {{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.swift.user_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}} {{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.swift.username -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}} {{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.swift.password -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}} {{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.swift.project_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}} {{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}} {{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.swift.project_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}} {{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}}
{{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}} {{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}}
@@ -125,22 +125,22 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.region_name -}} {{- if empty .Values.conf.cinder.service_user.region_name -}}
{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}} {{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.project_name -}} {{- if empty .Values.conf.cinder.service_user.project_name -}}
{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}} {{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.project_domain_name -}} {{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}} {{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.user_domain_name -}} {{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}} {{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.username -}} {{- if empty .Values.conf.cinder.service_user.username -}}
{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}} {{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.cinder.service_user.password -}} {{- if empty .Values.conf.cinder.service_user.password -}}
{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}} {{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

9
cinder/templates/job-ks-user.yaml
View File

@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
{{- end }} {{- end }}
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} {{- $serviceUsers := (tuple "cinder" "nova") -}}
{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }}
{{- $serviceUsers = append $serviceUsers "swift" -}}
{{- end }}
{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
{{- $serviceUsers = append $serviceUsers "service" -}}
{{- end }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" "serviceUsers" $serviceUsers -}}
{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
{{- end -}} {{- end -}}

2
cinder/templates/secret-keystone.yaml
View File

@@ -14,7 +14,7 @@ limitations under the License.
{{- if .Values.manifests.secret_keystone }} {{- if .Values.manifests.secret_keystone }}
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "cinder" "test" }} {{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
{{- $secretName := index $envAll.Values.secrets.identity $userClass }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
--- ---
apiVersion: v1 apiVersion: v1

27
cinder/values.yaml
View File

@@ -1243,6 +1243,9 @@ secrets:
identity: identity:
admin: cinder-keystone-admin admin: cinder-keystone-admin
cinder: cinder-keystone-user cinder: cinder-keystone-user
nova: cinder-keystone-nova
swift: cinder-keystone-swift
service: cinder-keystone-service
test: cinder-keystone-test test: cinder-keystone-test
oslo_db: oslo_db:
admin: cinder-db-admin admin: cinder-db-admin
@@ -1312,6 +1315,30 @@ endpoints:
project_name: service project_name: service
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
nova:
role: admin,service
region_name: RegionOne
project_name: service
username: cinder_nova
password: password
user_domain_name: service
project_domain_name: service
swift:
role: admin,service
region_name: RegionOne
project_name: service
username: cinder_swift
password: password
user_domain_name: service
project_domain_name: service
service:
role: admin,service
region_name: RegionOne
project_name: service
username: cinder_service_user
password: password
user_domain_name: service
project_domain_name: service
test: test:
role: admin role: admin
region_name: RegionOne region_name: RegionOne

9
neutron/templates/job-ks-user.yaml
View File

@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
{{- end }} {{- end }}
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} {{- $serviceUsers := (tuple "neutron" "nova" "placement") -}}
{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
{{- $serviceUsers = append $serviceUsers "designate" -}}
{{- end -}}
{{- if (has "baremetal" .Values.network.backend) -}}
{{- $serviceUsers = append $serviceUsers "ironic" -}}
{{- end -}}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" "serviceUsers" $serviceUsers -}}
{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}} {{- end -}}

2
neutron/templates/secret-keystone.yaml
View File

@@ -14,7 +14,7 @@ limitations under the License.
{{- if .Values.manifests.secret_keystone }} {{- if .Values.manifests.secret_keystone }}
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "neutron" "test" }} {{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
{{- $secretName := index $envAll.Values.secrets.identity $userClass }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
--- ---
apiVersion: v1 apiVersion: v1

16
neutron/values.yaml
View File

@@ -2316,6 +2316,10 @@ secrets:
identity: identity:
admin: neutron-keystone-admin admin: neutron-keystone-admin
neutron: neutron-keystone-user neutron: neutron-keystone-user
nova: neutron-keystone-nova
placement: neutron-keystone-placement
designate: neutron-keystone-designate
ironic: neutron-keystone-ironic
test: neutron-keystone-test test: neutron-keystone-test
oslo_db: oslo_db:
admin: neutron-db-admin admin: neutron-db-admin
@@ -2477,30 +2481,34 @@ endpoints:
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
nova: nova:
role: admin,service
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
username: nova username: neutron_nova
password: password password: password
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
placement: placement:
role: admin,service
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
username: placement username: neutron_placement
password: password password: password
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
designate: designate:
role: admin,service
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
username: designate username: neutron_designate
password: password password: password
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
ironic: ironic:
role: admin,service
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
username: ironic username: neutron_ironic
password: password password: password
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service

12
nova/templates/configmap-etc.yaml
View File

@@ -61,22 +61,22 @@ limitations under the License.
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.region_name -}} {{- if empty .Values.conf.nova.service_user.region_name -}}
{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}} {{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.project_name -}} {{- if empty .Values.conf.nova.service_user.project_name -}}
{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}} {{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.project_domain_name -}} {{- if empty .Values.conf.nova.service_user.project_domain_name -}}
{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}} {{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.user_domain_name -}} {{- if empty .Values.conf.nova.service_user.user_domain_name -}}
{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}} {{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.username -}} {{- if empty .Values.conf.nova.service_user.username -}}
{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}} {{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}}
{{- end -}} {{- end -}}
{{- if empty .Values.conf.nova.service_user.password -}} {{- if empty .Values.conf.nova.service_user.password -}}
{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}} {{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

6
nova/templates/job-ks-user.yaml
View File

@@ -18,7 +18,11 @@ helm.sh/hook-weight: "-1"
{{- end }} {{- end }}
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} {{- $serviceUsers := (tuple "nova" "neutron" "placement" "ironic" "cinder") -}}
{{- if .Values.conf.nova.service_user.send_service_user_token }}
{{- $serviceUsers = append $serviceUsers "service" -}}
{{- end }}
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" "serviceUsers" $serviceUsers -}}
{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
{{- end -}} {{- end -}}

2
nova/templates/secret-keystone.yaml
View File

@@ -14,7 +14,7 @@ limitations under the License.
{{- if .Values.manifests.secret_keystone }} {{- if .Values.manifests.secret_keystone }}
{{- $envAll := . }} {{- $envAll := . }}
{{- range $key1, $userClass := tuple "admin" "nova" "test" }} {{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
{{- $secretName := index $envAll.Values.secrets.identity $userClass }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
--- ---
apiVersion: v1 apiVersion: v1

25
nova/values.yaml
View File

@@ -1641,6 +1641,11 @@ secrets:
identity: identity:
admin: nova-keystone-admin admin: nova-keystone-admin
nova: nova-keystone-user nova: nova-keystone-user
neutron: nova-keystone-neutron
placement: nova-keystone-placement
cinder: nova-keystone-cinder
ironic: nova-keystone-ironic
service: nova-keystone-service
test: nova-keystone-test test: nova-keystone-test
oslo_db: oslo_db:
admin: nova-db-admin admin: nova-db-admin
@@ -1824,30 +1829,40 @@ endpoints:
project_name: service project_name: service
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
service:
role: admin,service
region_name: RegionOne
username: nova_service_user
password: password
project_name: service
user_domain_name: service
project_domain_name: service
# NOTE(portdirect): the neutron user is not managed by the nova chart # NOTE(portdirect): the neutron user is not managed by the nova chart
# these values should match those set in the neutron chart. # these values should match those set in the neutron chart.
neutron: neutron:
role: admin,service
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
username: neutron username: nova_neutron
password: password password: password
# NOTE(portdirect): the ironic user is not managed by the nova chart # NOTE(portdirect): the ironic user is not managed by the nova chart
# these values should match those set in the ironic chart. # these values should match those set in the ironic chart.
ironic: ironic:
role: admin,service
auth_type: password auth_type: password
auth_version: v3 auth_version: v3
region_name: RegionOne region_name: RegionOne
project_name: service project_name: service
user_domain_name: service user_domain_name: service
project_domain_name: service project_domain_name: service
username: ironic username: nova_ironic
password: password password: password
placement: placement:
role: admin role: admin,service
region_name: RegionOne region_name: RegionOne
username: placement username: nova_placement
password: password password: password
project_name: service project_name: service
user_domain_name: service user_domain_name: service
@@ -1855,7 +1870,7 @@ endpoints:
cinder: cinder:
role: admin,service role: admin,service
region_name: RegionOne region_name: RegionOne
username: cinder username: nova_cinder
password: password password: password
project_name: service project_name: service
user_domain_name: service user_domain_name: service

6
releasenotes/notes/neutron-2d4db97bc8900286.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
neutron:
- |
Create multiple Keystone service accounts to access to
other Openstack APIs
...