Helm-Toolkit: move keystone user jobs to helm-toolkit

This PS moves the keystone user jobs to be driven by a helm-toolkit function providing greater consistency to the charts in OSH, and reduced tech debt. Change-Id: Ic5eb172b0443f61b8ecab8b3a607c764fb145c75
2018-02-06 18:45:04 -05:00 · 2018-02-06 18:45:04 -05:00 · f296acf647
commit f296acf647
parent fb4fe70bf8
18 changed files with 240 additions and 742 deletions
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "barbican-bin" "serviceName" "barbican" "serviceUser" "barbican" }}
-{{- $serviceAccountName := "barbican-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: barbican-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "barbican" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: barbican-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "barbican"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.barbican }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.barbican.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: barbican-bin
            defaultMode: 0555
 {{- end }}
--- a/ceilometer/templates/job-ks-user.yaml
+++ b/ceilometer/templates/job-ks-user.yaml
@ -15,51 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.job.node_selector_key .Values.labels.job.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "ceilometer-bin" "serviceName" "ceilometer" "serviceUser" "ceilometer" }}
-{{- $serviceAccountName := "ceilometer-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: ceilometer-ks-user
 spec:
  template:
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: ceilometer-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "ceilometer"
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.ceilometer }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.ceilometer.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: ceilometer-bin
            defaultMode: 0555
 {{- end }}
--- a/ceph/templates/job-ks-user.yaml
+++ b/ceph/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if and .Values.manifests.job_ks_user .Values.deployment.rgw_keystone_user_and_endpoints }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.jobs.node_selector_key .Values.labels.jobs.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "ceph-bin-ks" "serviceName" "ceph" "serviceUser" "swift" }}
-{{- $serviceAccountName := "ceph-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: ceph-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "ceph" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: ceph-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "ceph"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.swift }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.swift.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: ceph-bin-ks
            defaultMode: 0555
 {{- end }}
--- a/cinder/templates/job-ks-user.yaml
+++ b/cinder/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "cinder-bin" "serviceName" "cinder" "serviceUser" "cinder" }}
-{{- $serviceAccountName := "cinder-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: cinder-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "cinder" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: cinder-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "cinder"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.cinder }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.cinder.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: cinder-bin
            defaultMode: 0555
 {{- end }}
--- a/congress/templates/job-ks-user.yaml
+++ b/congress/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "congress-bin" "serviceName" "congress" "serviceUser" "congress" }}
-{{- $serviceAccountName := "congress-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: congress-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "congress" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: congress-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "congress"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.congress }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.congress.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: congress-bin
            defaultMode: 0555
 {{- end }}
--- a/glance/templates/job-ks-user.yaml
+++ b/glance/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "glance-bin" "serviceName" "glance" "serviceUser" "glance" }}
-{{- $serviceAccountName := "glance-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: glance-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "glance" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: glance-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "glance"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.glance }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.glance.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: glance-bin
            defaultMode: 0555
 {{- end }}
--- a/gnocchi/templates/job-ks-user.yaml
+++ b/gnocchi/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "gnocchi-bin" "serviceName" "gnocchi" "serviceUser" "gnocchi" }}
-{{- $serviceAccountName := "gnocchi-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: gnocchi-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "gnocchi" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: gnocchi-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "gnocchi"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.gnocchi }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.gnocchi.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: gnocchi-bin
            defaultMode: 0555
 {{- end }}
--- a/heat/templates/job-ks-user-domain.yaml
+++ b/heat/templates/job-ks-user-domain.yaml
@ -0,0 +1,84 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user_domain }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ks_user }}
 {{- $serviceAccountName := "heat-ks-user-domain" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: heat-domain-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "heat" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: heat-ks-domain-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
          command:
            - /tmp/ks-domain-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-domain-user.sh
              subPath: ks-domain-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "heat"
            - name: SERVICE_OS_REGION_NAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_REGION_NAME
            - name: SERVICE_OS_DOMAIN_NAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_DOMAIN_NAME
            - name: SERVICE_OS_USERNAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_USERNAME
            - name: SERVICE_OS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_PASSWORD
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.heat_stack_user.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: heat-bin
            defaultMode: 0555
 {{- end }}
--- a/heat/templates/job-ks-user-trustee.yaml
+++ b/heat/templates/job-ks-user-trustee.yaml
@ -0,0 +1,22 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user_trustee }}
 {{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
 {{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "heat-bin" "serviceName" "heat" "serviceUser" "heat_trustee" }}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
--- a/heat/templates/job-ks-user.yaml
+++ b/heat/templates/job-ks-user.yaml
@ -15,113 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "heat-bin" "serviceName" "heat" "serviceUser" "heat" }}
-{{- $serviceAccountName := "heat-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: heat-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "heat" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: heat-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "heat"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.heat }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.heat.role | quote }}
        - name: heat-ks-trustee-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "heat"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.heat_trustee }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.heat_trustee.role | quote }}
        - name: heat-ks-domain-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
          command:
            - /tmp/ks-domain-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-domain-user.sh
              subPath: ks-domain-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "heat"
            - name: SERVICE_OS_REGION_NAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_REGION_NAME
            - name: SERVICE_OS_DOMAIN_NAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_DOMAIN_NAME
            - name: SERVICE_OS_USERNAME
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_USERNAME
            - name: SERVICE_OS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.secrets.identity.heat_stack_user }}
                  key: OS_PASSWORD
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.heat_stack_user.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: heat-bin
            defaultMode: 0555
 {{- end }}
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -284,6 +284,8 @@ dependencies:
  trusts:
    jobs:
    - heat-ks-user
    - heat-trustee-ks-user
    - heat-domain-ks-user
    services:
    - service: identity
      endpoint: internal
@ -291,6 +293,8 @@ dependencies:
    jobs:
    - heat-db-sync
    - heat-ks-user
    - heat-trustee-ks-user
    - heat-domain-ks-user
    - heat-ks-endpoints
    services:
    - service: oslo_db
@ -301,6 +305,8 @@ dependencies:
    jobs:
    - heat-db-sync
    - heat-ks-user
    - heat-trustee-ks-user
    - heat-domain-ks-user
    - heat-ks-endpoints
    services:
    - service: oslo_db
@ -311,6 +317,8 @@ dependencies:
    jobs:
    - heat-db-sync
    - heat-ks-user
    - heat-trustee-ks-user
    - heat-domain-ks-user
    - heat-ks-endpoints
    services:
    - service: oslo_db
@ -321,6 +329,8 @@ dependencies:
    jobs:
    - heat-db-sync
    - heat-ks-user
    - heat-trustee-ks-user
    - heat-domain-ks-user
    - heat-ks-endpoints
    services:
    - service: oslo_db
@ -646,6 +656,8 @@ manifests:
  job_db_drop: false
  job_ks_endpoints: true
  job_ks_service: true
  job_ks_user_domain: true
  job_ks_user_trustee: true
  job_ks_user: true
  pdb_api: true
  pdb_cfn: true
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@ -0,0 +1,80 @@
 {{/*
 Copyright 2017 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 # This function creates a manifest for keystone user management.
 # It can be used in charts dict created similar to the following:
 # {- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }
 # {- $dependencies := .Values.dependencies.ks_user }
 # {- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "senlin-bin" "serviceName" "senlin" "serviceUser" "senlin" }
 # { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
 {{- define "helm-toolkit.manifests.job_ks_user" -}}
 {{- $envAll := index . "envAll" -}}
 {{- $nodeSelector := index . "nodeSelector" -}}
 {{- $dependencies := index . "dependencies" -}}
 {{- $configMapBin := index . "configMapBin" -}}
 {{- $serviceName := index . "serviceName" -}}
 {{- $serviceUser := index . "serviceUser" -}}
 {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
 {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName | quote }}
      restartPolicy: OnFailure
      nodeSelector:
 {{ toYaml $nodeSelector | indent 8 }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: ks-user
          image: {{ $envAll.Values.images.tags.ks_user | quote }}
          imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: {{ $serviceName | quote }}
 {{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ index $envAll.Values.endpoints.identity.auth $serviceUser "role" | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: {{ $configMapBin | quote }}
            defaultMode: 0555
 {{- end -}}
--- a/magnum/templates/job-ks-user.yaml
+++ b/magnum/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "magnum-bin" "serviceName" "magnum" "serviceUser" "magnum" }}
-{{- $serviceAccountName := "magnum-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: magnum-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "magnum" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: magnum-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "magnum"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.magnum }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.magnum.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: magnum-bin
            defaultMode: 0555
 {{- end }}
--- a/mistral/templates/job-ks-user.yaml
+++ b/mistral/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "mistral-bin" "serviceName" "mistral" "serviceUser" "mistral" }}
-{{- $serviceAccountName := "mistral-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: mistral-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "mistral" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: mistral-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "mistral"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.mistral }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.mistral.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: mistral-bin
            defaultMode: 0555
 {{- end }}
--- a/neutron/templates/job-ks-user.yaml
+++ b/neutron/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.server.node_selector_key .Values.labels.server.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "neutron-bin" "serviceName" "neutron" "serviceUser" "neutron" }}
-{{- $serviceAccountName := "neutron-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: neutron-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "neutron" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: neutron-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "neutron"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.neutron }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.neutron.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: neutron-bin
            defaultMode: 0555
 {{- end }}
--- a/nova/templates/job-ks-user.yaml
+++ b/nova/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.job.node_selector_key .Values.labels.job.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "nova-bin" "serviceName" "nova" "serviceUser" "nova" }}
-{{- $serviceAccountName := "nova-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: nova-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "nova" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: nova-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.db_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "nova"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.nova }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.nova.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: nova-bin
            defaultMode: 0555
 {{- end }}
--- a/rally/templates/job-ks-user.yaml
+++ b/rally/templates/job-ks-user.yaml
@ -14,53 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "rally-bin" "serviceName" "rally" "serviceUser" "rally" }}
-{{- $serviceAccountName := "rally-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: rally-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "rally" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: rally-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "rally"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.rally }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.rally.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: rally-bin
            defaultMode: 0555
--- a/senlin/templates/job-ks-user.yaml
+++ b/senlin/templates/job-ks-user.yaml
@ -15,54 +15,8 @@ limitations under the License.
 */}}
 {{- if .Values.manifests.job_ks_user }}
-{{- $envAll := . }}
+{{- $nodeSelector := dict .Values.labels.node_selector_key .Values.labels.node_selector_value }}
 {{- $dependencies := .Values.dependencies.ks_user }}
-
+{{- $ksUserJob := dict "envAll" . "nodeSelector" $nodeSelector "dependencies" $dependencies "configMapBin" "senlin-bin" "serviceName" "senlin" "serviceUser" "senlin" }}
-{{- $serviceAccountName := "senlin-ks-user" }}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: senlin-ks-user
 spec:
  template:
    metadata:
      labels:
 {{ tuple $envAll "senlin" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
 {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: senlin-ks-user
          image: {{ .Values.images.tags.ks_user }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          command:
            - /tmp/ks-user.sh
          volumeMounts:
            - name: ks-user-sh
              mountPath: /tmp/ks-user.sh
              subPath: ks-user.sh
              readOnly: true
          env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_SERVICE_NAME
              value: "senlin"
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.senlin }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
            - name: SERVICE_OS_ROLE
              value: {{ .Values.endpoints.identity.auth.senlin.role | quote }}
      volumes:
        - name: ks-user-sh
          configMap:
            name: senlin-bin
            defaultMode: 0555
 {{- end }}