Get admin password and use it on config template

The pci-irq-affinity-agent uses the platform keyring file to
fetch the admin password to communicate with OpenStack services,
but now that the agent is raised during the application apply it
can use the same approach the other helm charts use to get the
credentials, using it's plugin to capture the information and
generate the system overrides with the values.

This commit:
- Changes the plugin to get the credentials
- Changes the pci-irq-affinity-agent helm chart to include the
password on the chart values and use it on the agent config file
template
- Adds an init container with dependencies on libvirt and nova
compute pods, so that the agent pod is only create when those
are available
- Removes the keyring mount on the container, which will not be
needed anymore with the previous changes and is causing failure
when raising the pod
- Removes additional keyring tools

Depends-On: https://review.opendev.org/c/starlingx/utilities/+/818620
Closes-Bug: 1951245
Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com>
Change-Id: I26f993146b8a17b7602a45f0cd5d983c1d93b0c1

python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/pci_irq_affinity_agent.py

@@ -18,6 +18,8 @@ class PciIrqAffinityAgentHelm(openstack.OpenstackBaseHelm):
     """Class to encapsulate helm operations for the PCI IRQ affinity agent chart"""
 
     CHART = app_constants.HELM_CHART_PCI_IRQ_AFFINITY_AGENT
+    AUTH_USERS = ['pci-irq-affinity-agent']
+    SERVICE_NAME = app_constants.HELM_CHART_PCI_IRQ_AFFINITY_AGENT
 
     def __init__(self, operator):
         super(PciIrqAffinityAgentHelm, self).__init__(operator)
@@ -46,6 +48,12 @@ class PciIrqAffinityAgentHelm(openstack.OpenstackBaseHelm):
         )['nova']
 
         overrides = {
+            'identity': {
+              'auth': self._get_endpoints_identity_overrides(
+                  self.SERVICE_NAME,
+                  self.AUTH_USERS
+              ),
+            },
             'rabbit': {
                 'rabbit_userid': nova_oslo_messaging_data['username'],
                 'rabbit_password': nova_oslo_messaging_data['password'],

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/templates/bin/_patch_keyring.sh.tpl

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-#
-# Copyright (c) 2021 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-# Script to patch the keyring library so that it allows automation
-# by not asking for user input on the keyring password
-# This 'change' was taken from the platform keyring library
-KEYRING_LIB=$(find / -name file.py)
-sed -i '/self.keyring_key *= *getpass.getpass(/,/)/s/^/#/;/self.keyring_key *= *getpass.getpass/i\        # TAKEN FROM PLATFORM KEYRING CODE\n\        self.keyring_key = "Please set a password for your new keyring: "' $KEYRING_LIB

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/templates/bin/_start.sh.tpl

@@ -7,5 +7,4 @@
 #
 
 # Script to encapsulate the starting routines
-sh -c /tmp/patch_keyring.sh
 python /tmp/start.py

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/templates/configmap-bin.yaml

@@ -19,8 +19,6 @@ data:
 {{ tuple "bin/_start.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   health-probe.py: |
 {{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  patch_keyring.sh: |
-{{ tuple "bin/_patch_keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   start.sh: |
 {{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/templates/configmap-etc.yaml

@@ -17,5 +17,4 @@ metadata:
 type: Opaque
 data:
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.template "key" "config.ini" "format" "Secret") | indent 2 }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.keyring "key" "keyringrc.cfg" "format" "Secret") | indent 2 }}
 {{- end }}

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/templates/daemonset.yaml

@@ -10,9 +10,10 @@
 {{- $daemonset := "pci-irq-affinity-agent" }}
 {{- $configMapName := "pci-irq-affinity-agent-etc" }}
 {{- $binConfigMapName := "pci-irq-affinity-agent-bin" }}
+{{- $mounts_pci_irq_affinity_agent_init := .Values.pod.mounts.pci_irq_affinity_agent.init_container }}
 {{- $envAll := . }}
 
-{{- tuple $envAll "agent" $daemonset | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+{{- tuple $envAll "pci_irq_affinity_agent" $daemonset | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -36,6 +37,8 @@ spec:
         {{ .Values.labels.agent.pci_irq_affinity_agent.node_selector_key }}: {{ .Values.labels.agent.pci_irq_affinity_agent.node_selector_value }}
       tolerations:
 {{ toYaml .Values.tolerations | indent 8 }}
+      initContainers:
+{{ tuple $envAll "pci_irq_affinity_agent" $mounts_pci_irq_affinity_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: pci-irq-affinity-agent
           image: {{ .Values.images.tags.pci_irq_affinity_agent }}
@@ -77,13 +80,6 @@ spec:
             mountPath: /etc/pci_irq_affinity/config.ini
             subPath: config.ini
             readOnly: true
-          - name: {{ $configMapName }}
-            mountPath: /root/.local/share/python_keyring/keyringrc.cfg
-            subPath: keyringrc.cfg
-            readOnly: true
-          - name: keyring
-            mountPath: /root/.local/share/python_keyring/crypted_pass.cfg
-            readOnly: true
           - name: libvirt-sock-ro
             mountPath: /var/run/libvirt/libvirt-sock-ro
             readOnly: true
@@ -97,10 +93,6 @@ spec:
             mountPath: /tmp/start.py
             subPath: start.py
             readOnly: true
-          - name: {{ $binConfigMapName }}
-            mountPath: /tmp/patch_keyring.sh
-            subPath: patch_keyring.sh
-            readOnly: true
           - name: {{ $binConfigMapName }}
             mountPath: /tmp/start.sh
             subPath: start.sh
@@ -117,10 +109,6 @@ spec:
         secret:
           defaultMode: 0644
           secretName: {{ $configMapName }}
-      - name: keyring
-        hostPath:
-          path: /opt/platform/.keyring/21.12/python_keyring/crypted_pass.cfg # TODO (hmatsui): dynamically get version (e.g. 21.12)
-          type: File
       - name: libvirt-sock-ro
         hostPath:
           path: /var/run/libvirt/libvirt-sock-ro

stx-openstack-helm/stx-openstack-helm/helm-charts/pci-irq-affinity-agent/values.yaml

@@ -30,15 +30,20 @@ labels:
 dependencies:
   static:
     pci_irq_affinity_agent:
-      services:
+      pod:
-        - endpoint: internal
+        - requireSameNode: true
-          service: keystone
+          labels:
-        - endpoint: internal
+            application: libvirt
-          service: rabbitmq
+            component: libvirt
-        - endpoint: internal
+        - requireSameNode: true
-          service: nova
+          labels:
+            application: nova
+            component: compute
 
 pod:
+  mounts:
+    pci_irq_affinity_agent:
+      init_container: null
   security_context:
     pci_irq_affinity_agent:
       pod:
@@ -60,6 +65,7 @@ conf:
       auth:
         admin:
           username: admin
+          password: password
           project_name: admin
           user_domain_name: default
           project_domain_name: default
@@ -80,6 +86,7 @@ conf:
     [openstack]
     openstack_enabled={{ .Values.conf.endpoints.keystone.openstack_enabled }}
     username={{ .Values.conf.endpoints.identity.auth.admin.username }}
+    password={{ .Values.conf.endpoints.identity.auth.admin.password }}
     tenant={{ .Values.conf.endpoints.identity.auth.admin.username }}
     authorization_protocol={{ .Values.conf.endpoints.keystone.openstack_auth_protocol }}
     authorization_ip={{ .Values.conf.endpoints.keystone.openstack_auth_host }}
@@ -99,9 +106,6 @@ conf:
     user_id={{ .Values.conf.endpoints.rabbit.rabbit_userid }}
     password={{ .Values.conf.endpoints.rabbit.rabbit_password }}
     virt_host={{ .Values.conf.endpoints.rabbit.rabbit_virtual_host }}
-  keyring: |
-    [backend]
-    default-keyring=keyrings.alt.file.EncryptedKeyring
   host:
     mount_path:
       pci_devices: /compute/sys/bus/pci/devices