Get admin password and use it on config template
The pci-irq-affinity-agent uses the platform keyring file to fetch the admin password to communicate with OpenStack services, but now that the agent is raised during the application apply it can use the same approach the other helm charts use to get the credentials, using it's plugin to capture the information and generate the system overrides with the values. This commit: - Changes the plugin to get the credentials - Changes the pci-irq-affinity-agent helm chart to include the password on the chart values and use it on the agent config file template - Adds an init container with dependencies on libvirt and nova compute pods, so that the agent pod is only create when those are available - Removes the keyring mount on the container, which will not be needed anymore with the previous changes and is causing failure when raising the pod - Removes additional keyring tools Depends-On: https://review.opendev.org/c/starlingx/utilities/+/818620 Closes-Bug: 1951245 Signed-off-by: Heitor Matsui <HeitorVieira.Matsui@windriver.com> Change-Id: I26f993146b8a17b7602a45f0cd5d983c1d93b0c1
This commit is contained in:
Heitor Matsui
parent
70dde94488
commit
2755a00457
@ -18,6 +18,8 @@ class PciIrqAffinityAgentHelm(openstack.OpenstackBaseHelm):
|
||||
"""Class to encapsulate helm operations for the PCI IRQ affinity agent chart"""
|
||||
|
||||
CHART = app_constants.HELM_CHART_PCI_IRQ_AFFINITY_AGENT
|
||||
AUTH_USERS = ['pci-irq-affinity-agent']
|
||||
SERVICE_NAME = app_constants.HELM_CHART_PCI_IRQ_AFFINITY_AGENT
|
||||
|
||||
def __init__(self, operator):
|
||||
super(PciIrqAffinityAgentHelm, self).__init__(operator)
|
||||
@ -46,6 +48,12 @@ class PciIrqAffinityAgentHelm(openstack.OpenstackBaseHelm):
|
||||
)['nova']
|
||||
|
||||
overrides = {
|
||||
'identity': {
|
||||
'auth': self._get_endpoints_identity_overrides(
|
||||
self.SERVICE_NAME,
|
||||
self.AUTH_USERS
|
||||
),
|
||||
},
|
||||
'rabbit': {
|
||||
'rabbit_userid': nova_oslo_messaging_data['username'],
|
||||
'rabbit_password': nova_oslo_messaging_data['password'],
|
||||
|
||||
@ -1,13 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Copyright (c) 2021 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
# Script to patch the keyring library so that it allows automation
|
||||
# by not asking for user input on the keyring password
|
||||
# This 'change' was taken from the platform keyring library
|
||||
KEYRING_LIB=$(find / -name file.py)
|
||||
sed -i '/self.keyring_key *= *getpass.getpass(/,/)/s/^/#/;/self.keyring_key *= *getpass.getpass/i\ # TAKEN FROM PLATFORM KEYRING CODE\n\ self.keyring_key = "Please set a password for your new keyring: "' $KEYRING_LIB
|
||||
@ -7,5 +7,4 @@
|
||||
#
|
||||
|
||||
# Script to encapsulate the starting routines
|
||||
sh -c /tmp/patch_keyring.sh
|
||||
python /tmp/start.py
|
||||
|
||||
@ -19,8 +19,6 @@ data:
|
||||
{{ tuple "bin/_start.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
health-probe.py: |
|
||||
{{ tuple "bin/_health-probe.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
patch_keyring.sh: |
|
||||
{{ tuple "bin/_patch_keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
start.sh: |
|
||||
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{- end }}
|
||||
|
||||
@ -17,5 +17,4 @@ metadata:
|
||||
type: Opaque
|
||||
data:
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.template "key" "config.ini" "format" "Secret") | indent 2 }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.keyring "key" "keyringrc.cfg" "format" "Secret") | indent 2 }}
|
||||
{{- end }}
|
||||
|
||||
@ -10,9 +10,10 @@
|
||||
{{- $daemonset := "pci-irq-affinity-agent" }}
|
||||
{{- $configMapName := "pci-irq-affinity-agent-etc" }}
|
||||
{{- $binConfigMapName := "pci-irq-affinity-agent-bin" }}
|
||||
{{- $mounts_pci_irq_affinity_agent_init := .Values.pod.mounts.pci_irq_affinity_agent.init_container }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- tuple $envAll "agent" $daemonset | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{- tuple $envAll "pci_irq_affinity_agent" $daemonset | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
@ -36,6 +37,8 @@ spec:
|
||||
{{ .Values.labels.agent.pci_irq_affinity_agent.node_selector_key }}: {{ .Values.labels.agent.pci_irq_affinity_agent.node_selector_value }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.tolerations | indent 8 }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "pci_irq_affinity_agent" $mounts_pci_irq_affinity_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: pci-irq-affinity-agent
|
||||
image: {{ .Values.images.tags.pci_irq_affinity_agent }}
|
||||
@ -77,13 +80,6 @@ spec:
|
||||
mountPath: /etc/pci_irq_affinity/config.ini
|
||||
subPath: config.ini
|
||||
readOnly: true
|
||||
- name: {{ $configMapName }}
|
||||
mountPath: /root/.local/share/python_keyring/keyringrc.cfg
|
||||
subPath: keyringrc.cfg
|
||||
readOnly: true
|
||||
- name: keyring
|
||||
mountPath: /root/.local/share/python_keyring/crypted_pass.cfg
|
||||
readOnly: true
|
||||
- name: libvirt-sock-ro
|
||||
mountPath: /var/run/libvirt/libvirt-sock-ro
|
||||
readOnly: true
|
||||
@ -97,10 +93,6 @@ spec:
|
||||
mountPath: /tmp/start.py
|
||||
subPath: start.py
|
||||
readOnly: true
|
||||
- name: {{ $binConfigMapName }}
|
||||
mountPath: /tmp/patch_keyring.sh
|
||||
subPath: patch_keyring.sh
|
||||
readOnly: true
|
||||
- name: {{ $binConfigMapName }}
|
||||
mountPath: /tmp/start.sh
|
||||
subPath: start.sh
|
||||
@ -117,10 +109,6 @@ spec:
|
||||
secret:
|
||||
defaultMode: 0644
|
||||
secretName: {{ $configMapName }}
|
||||
- name: keyring
|
||||
hostPath:
|
||||
path: /opt/platform/.keyring/21.12/python_keyring/crypted_pass.cfg # TODO (hmatsui): dynamically get version (e.g. 21.12)
|
||||
type: File
|
||||
- name: libvirt-sock-ro
|
||||
hostPath:
|
||||
path: /var/run/libvirt/libvirt-sock-ro
|
||||
|
||||
@ -30,15 +30,20 @@ labels:
|
||||
dependencies:
|
||||
static:
|
||||
pci_irq_affinity_agent:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: keystone
|
||||
- endpoint: internal
|
||||
service: rabbitmq
|
||||
- endpoint: internal
|
||||
service: nova
|
||||
pod:
|
||||
- requireSameNode: true
|
||||
labels:
|
||||
application: libvirt
|
||||
component: libvirt
|
||||
- requireSameNode: true
|
||||
labels:
|
||||
application: nova
|
||||
component: compute
|
||||
|
||||
pod:
|
||||
mounts:
|
||||
pci_irq_affinity_agent:
|
||||
init_container: null
|
||||
security_context:
|
||||
pci_irq_affinity_agent:
|
||||
pod:
|
||||
@ -60,6 +65,7 @@ conf:
|
||||
auth:
|
||||
admin:
|
||||
username: admin
|
||||
password: password
|
||||
project_name: admin
|
||||
user_domain_name: default
|
||||
project_domain_name: default
|
||||
@ -80,6 +86,7 @@ conf:
|
||||
[openstack]
|
||||
openstack_enabled={{ .Values.conf.endpoints.keystone.openstack_enabled }}
|
||||
username={{ .Values.conf.endpoints.identity.auth.admin.username }}
|
||||
password={{ .Values.conf.endpoints.identity.auth.admin.password }}
|
||||
tenant={{ .Values.conf.endpoints.identity.auth.admin.username }}
|
||||
authorization_protocol={{ .Values.conf.endpoints.keystone.openstack_auth_protocol }}
|
||||
authorization_ip={{ .Values.conf.endpoints.keystone.openstack_auth_host }}
|
||||
@ -99,9 +106,6 @@ conf:
|
||||
user_id={{ .Values.conf.endpoints.rabbit.rabbit_userid }}
|
||||
password={{ .Values.conf.endpoints.rabbit.rabbit_password }}
|
||||
virt_host={{ .Values.conf.endpoints.rabbit.rabbit_virtual_host }}
|
||||
keyring: |
|
||||
[backend]
|
||||
default-keyring=keyrings.alt.file.EncryptedKeyring
|
||||
host:
|
||||
mount_path:
|
||||
pci_devices: /compute/sys/bus/pci/devices
|
||||
|
||||
Loading…
Reference in New Issue
Block a user