diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index 1468de7c..27654c7c 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -20,6 +20,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml index dd0f2667..fd8d901a 100644 --- a/barbican/templates/job-db-init.yaml +++ b/barbican/templates/job-db-init.yaml @@ -41,7 +41,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: barbican-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/barbican/barbican.conf diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml index cb9cb237..86789f3e 100644 --- a/barbican/templates/job-ks-endpoints.yaml +++ b/barbican/templates/job-ks-endpoints.yaml @@ -11,7 +11,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -48,7 +47,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml index f63c4565..2f6b2cad 100644 --- a/barbican/templates/job-ks-service.yaml +++ b/barbican/templates/job-ks-service.yaml @@ -11,7 +11,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -47,7 +46,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml index af526735..72956095 100644 --- a/barbican/templates/job-ks-user.yaml +++ b/barbican/templates/job-ks-user.yaml @@ -10,8 +10,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "barbican-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -47,16 +45,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "barbican" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.barbican_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/heat/templates/secret-keystone-stack-user.env.yaml b/barbican/templates/secret-db.yaml similarity index 51% rename from heat/templates/secret-keystone-stack-user.env.yaml rename to barbican/templates/secret-db.yaml index 18bdf9a7..f8c9dffe 100644 --- a/heat/templates/secret-keystone-stack-user.env.yaml +++ b/barbican/templates/secret-db.yaml @@ -11,20 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: {{ .Values.keystone_secrets.stack }} + name: {{ $secretName }} type: Opaque data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.heat_stack_region_name | b64enc | indent 4 }} - OS_DOMAIN_NAME: | -{{ .Values.conf.heat.default.heat.common.config.stack_user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin_password | b64enc | indent 4 }} + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/barbican/templates/secret-keystone-admin.env.yaml b/barbican/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 99e086ca..00000000 --- a/barbican/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: barbican-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/barbican/templates/secret-keystone-user.env.yaml b/barbican/templates/secret-keystone-user.env.yaml deleted file mode 100644 index a642f8ee..00000000 --- a/barbican/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: barbican-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/barbican/templates/secret-db-root.env.yaml b/barbican/templates/secret-keystone.yaml similarity index 63% rename from barbican/templates/secret-db-root.env.yaml rename to barbican/templates/secret-keystone.yaml index a3ff0851..2507c3b3 100644 --- a/barbican/templates/secret-db-root.env.yaml +++ b/barbican/templates/secret-keystone.yaml @@ -1,3 +1,5 @@ +# Copyright 2017 The Openstack-Helm Authors. +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -9,11 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: barbican-db-root + name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/barbican/values.yaml b/barbican/values.yaml index 2f707379..02aa9413 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -45,22 +45,6 @@ network: enabled: false port: 39486 -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - barbican_user: "barbican" - barbican_user_domain: "default" - barbican_user_role: "admin" - barbican_password: "password" - barbican_project_name: "service" - barbican_project_domain: "default" - barbican_region_name: "RegionOne" - dependencies: db_init: services: @@ -115,12 +99,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: barbican - password: password database: oslo: db: @@ -130,9 +108,34 @@ conf: config: bind_port: 9311 +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: barbican-keystone-admin + user: barbican-keystone-user + oslo_db: + admin: barbican-db-admin + user: barbican-db-user + endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: barbican + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 6446a281..b4217edb 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index 13cc3a85..584616d9 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -14,7 +14,6 @@ {{- if .Values.bootstrap.enabled }} {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} apiVersion: batch/v1 kind: Job @@ -44,7 +43,7 @@ spec: command: - /tmp/bootstrap.sh env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} volumeMounts: diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index 15f5b851..37a00751 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: cinder-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/cinder/cinder.conf diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml index 0cdfd2bc..b10d4ee8 100644 --- a/cinder/templates/job-ks-endpoints.yaml +++ b/cinder/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml index 56ecfc1e..2e4e0c2f 100644 --- a/cinder/templates/job-ks-service.yaml +++ b/cinder/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 521e9ea8..ea884376 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "cinder-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "cinder" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.cinder_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index 22b56486..80caaaf3 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_cinder_tests := .Values.mounts.cinder_tests.cinder_tests }} {{- $mounts_cinder_tests_init := .Values.mounts.cinder_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/cinder/templates/secret-db-root.env.yaml b/cinder/templates/secret-db-root.env.yaml deleted file mode 100644 index 1af541d4..00000000 --- a/cinder/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cinder-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/cinder/templates/secret-db.yaml b/cinder/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/cinder/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/cinder/templates/secret-keystone-admin.env.yaml b/cinder/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f804604f..00000000 --- a/cinder/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: cinder-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/cinder/templates/secret-keystone-user.env.yaml b/cinder/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 15457b23..00000000 --- a/cinder/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: cinder-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/cinder/templates/secret-keystone.yaml b/cinder/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/cinder/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index b42e4aeb..d8b25798 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -67,15 +67,6 @@ bootstrap: group: volume_backend_name: -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - cinder_user_role: "admin" - network: api: ingress: @@ -129,12 +120,6 @@ conf: auth_token: auth_version: v3 auth_type: password - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: cinder - password: password oslo_concurrency: oslo: concurrency: @@ -235,12 +220,37 @@ dependencies: - service: volume endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: cinder-keystone-admin + user: cinder-keystone-user + oslo_db: + admin: cinder-db-admin + user: cinder-db-user + # We use a different layout of the endpoints here to account for versioning # this swaps the service name and type, and should be rolled out to other # services. endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: cinder + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index c751b64f..f4e1a276 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -29,6 +29,44 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} @@ -66,6 +104,7 @@ {{- tuple "image" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.default.glance.api "public_endpoint" | quote | trunc 0 -}} {{- end -}} + apiVersion: v1 kind: ConfigMap metadata: diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml index fd36e23d..eb52825d 100644 --- a/glance/templates/job-bootstrap.yaml +++ b/glance/templates/job-bootstrap.yaml @@ -13,8 +13,8 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -41,7 +41,7 @@ spec: memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml index 76c9ba82..11518c85 100644 --- a/glance/templates/job-db-init.yaml +++ b/glance/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: glance-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/glance/glance-api.conf diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml index f163f439..401a3d0f 100644 --- a/glance/templates/job-ks-endpoints.yaml +++ b/glance/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml index aa6587cd..0b22ad26 100644 --- a/glance/templates/job-ks-service.yaml +++ b/glance/templates/job-ks-service.yaml @@ -11,10 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml index 9ffd4317..f9aa6224 100644 --- a/glance/templates/job-ks-user.yaml +++ b/glance/templates/job-ks-user.yaml @@ -11,11 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "glance-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "glance" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.glance_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml index f4d8d983..3e48c5c2 100644 --- a/glance/templates/pod-rally-test.yaml +++ b/glance/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_glance_tests := .Values.mounts.glance_tests.glance_tests }} {{- $mounts_glance_tests_init := .Values.mounts.glance_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/glance/templates/secret-db-root.env.yaml b/glance/templates/secret-db-root.env.yaml deleted file mode 100644 index f01d1d90..00000000 --- a/glance/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: glance-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/glance/templates/secret-db.yaml b/glance/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/glance/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/glance/templates/secret-keystone-admin.env.yaml b/glance/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 0e57ce09..00000000 --- a/glance/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: glance-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/glance/templates/secret-keystone-user.env.yaml b/glance/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 30052ab7..00000000 --- a/glance/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: glance-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/glance/templates/secret-keystone.yaml b/glance/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/glance/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/glance/values.yaml b/glance/values.yaml index e5ed078b..c5ba55dc 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -76,16 +76,6 @@ bootstrap: hypervisor_type: "qemu" os_distro: "cirros" -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - glance_user_role: "admin" - - conf: rally_tests: override: @@ -120,12 +110,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: glance - password: password glance_store: glance: store: @@ -151,12 +135,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: glance - password: password network: api: @@ -296,12 +274,37 @@ dependencies: - service: image endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: glance-keystone-admin + user: glance-keystone-user + oslo_db: + admin: glance-db-admin + user: glance-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: glance + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 5097230d..27dd71cd 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -23,6 +23,54 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.heat.trustee.heat.common.context.region_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "region_name" .Values.endpoints.identity.auth.trustee.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.project_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "project_name" .Values.endpoints.identity.auth.trustee.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.project_domain_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "project_domain_name" .Values.endpoints.identity.auth.trustee.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.user_domain_name -}} +{{- set .Values.conf.heat.trustee.heat.common.context "user_domain_name" .Values.endpoints.identity.auth.trustee.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.username -}} +{{- set .Values.conf.heat.trustee.heat.common.context "username" .Values.endpoints.identity.auth.trustee.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.trustee.heat.common.context.password -}} +{{- set .Values.conf.heat.trustee.heat.common.context "password" .Values.endpoints.identity.auth.trustee.password | quote | trunc 0 -}} +{{- end -}} + +{{- if empty .Values.conf.heat.default.heat.common.config.stack_user_domain_name -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_user_domain_name" .Values.endpoints.identity.auth.stack_user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin" .Values.endpoints.identity.auth.stack_user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin_password -}} +{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin_password" .Values.endpoints.identity.auth.stack_user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml index 1693fbcc..76162596 100644 --- a/heat/templates/job-db-init.yaml +++ b/heat/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: heat-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/heat/heat.conf diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml index 9010a55d..32892f49 100644 --- a/heat/templates/job-ks-endpoints.yaml +++ b/heat/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml index 22de825c..b3e59fe8 100644 --- a/heat/templates/job-ks-service.yaml +++ b/heat/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml index f954fa2a..99f02a9c 100644 --- a/heat/templates/job-ks-user.yaml +++ b/heat/templates/job-ks-user.yaml @@ -14,11 +14,7 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} -{{- $ksUserSecret := .Values.keystone_secrets.user }} # The heat user management job is a bit different from other services as it also needs to create a stack domain and trusts user -{{- $ksTrusteeUserSecret := .Values.keystone_secrets.trustee }} -{{- $ksStackUserSecret := .Values.keystone_secrets.stack }} apiVersion: batch/v1 kind: Job metadata: @@ -52,21 +48,20 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "heat" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} - name: heat-ks-trustee-user image: {{ .Values.images.ks_user }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - - bash - /tmp/ks-user.sh volumeMounts: - name: ks-user-sh @@ -74,21 +69,20 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "heat" -{{- with $env := dict "ksUserSecret" $ksTrusteeUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.trustee }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_trustee_role | quote }} + value: {{ .Values.endpoints.identity.auth.trustee.role | quote }} - name: heat-ks-domain-user image: {{ .Values.images.ks_user }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - - bash - /tmp/ks-domain-user.sh volumeMounts: - name: ks-user-sh @@ -96,7 +90,7 @@ spec: subPath: ks-domain-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -104,25 +98,25 @@ spec: - name: SERVICE_OS_REGION_NAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_REGION_NAME - name: SERVICE_OS_DOMAIN_NAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_DOMAIN_NAME - name: SERVICE_OS_USERNAME valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_USERNAME - name: SERVICE_OS_PASSWORD valueFrom: secretKeyRef: - name: {{ $ksStackUserSecret }} + name: {{ .Values.secrets.identity.stack_user }} key: OS_PASSWORD - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.heat_stack_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.stack_user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/heat/templates/secret-db-root.env.yaml b/heat/templates/secret-db-root.env.yaml deleted file mode 100644 index a4fbce86..00000000 --- a/heat/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: heat-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/heat/templates/secret-db.yaml b/heat/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/heat/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/heat/templates/secret-keystone-admin.env.yaml b/heat/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f7956238..00000000 --- a/heat/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone-trustee.env.yaml b/heat/templates/secret-keystone-trustee.env.yaml deleted file mode 100644 index 3d92a701..00000000 --- a/heat/templates/secret-keystone-trustee.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.trustee }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.heat_trustee_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.heat.trustee.heat.common.context.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.trustee.heat.common.context.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.trustee.heat.common.context.password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone-user.env.yaml b/heat/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 77ac3a3c..00000000 --- a/heat/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/heat/templates/secret-keystone.yaml b/heat/templates/secret-keystone.yaml new file mode 100644 index 00000000..8be01836 --- /dev/null +++ b/heat/templates/secret-keystone.yaml @@ -0,0 +1,37 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" "trustee" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $envAll.Values.secrets.identity.stack_user }} +type: Opaque +data: + OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} + OS_REGION_NAME: {{ .Values.endpoints.identity.auth.stack_user.region_name | b64enc | indent 4 }} + OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.stack_user.domain_name | b64enc | indent 4 }} + OS_USERNAME: {{ .Values.endpoints.identity.auth.stack_user.username | b64enc | indent 4 }} + OS_PASSWORD: {{ .Values.endpoints.identity.auth.stack_user.password | b64enc | indent 4 }} diff --git a/heat/values.yaml b/heat/values.yaml index 2a0e8eb1..a031425b 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -64,29 +64,6 @@ termination_grace_period: cloudwatch: timeout: 30 -keystone_secrets: - admin: "heat-env-keystone-admin" - user: "heat-env-keystone-user" - trustee: "heat-env-keystone-trustee" - stack: "heat-env-keystone-stack-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - heat_user_role: "admin" - - heat_trustee_role: "admin" - heat_trustee_region_name: "RegionOne" - - heat_stack_user_role: "admin" - heat_stack_region_name: "RegionOne" - - conf: paste: override: @@ -101,9 +78,6 @@ conf: heat: common: config: - stack_user_domain_name: heat - stack_domain_admin: heat-domain - stack_domain_admin_password: password num_engine_workers: 4 trusts_delegated_roles: _member_ keystone_authtoken: @@ -111,24 +85,12 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: heat - password: password trustee: heat: common: context: auth_section: trustee auth_type: password - password: password - user_domain_name: default - username: heat-trust - project_domain_name: default - project_name: service - region_name: RegionOne auth_version: v3 heat_api: heat: @@ -249,12 +211,53 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: heat-keystone-admin + user: heat-keystone-user + trustee: heat-keystone-trustee + stack_user: heat-keystone-stack-user + oslo_db: + admin: heat-db-admin + user: heat-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: heat + password: password + project_name: service + user_domain_name: default + project_domain_name: default + trustee: + role: admin + region_name: RegionOne + username: heat-trust + password: password + project_name: service + user_domain_name: default + project_domain_name: default + stack_user: + role: admin + region_name: RegionOne + username: heat-trust + password: password + domain_name: heat hosts: default: keystone-api public: keystone diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl new file mode 100644 index 00000000..3229f6a3 --- /dev/null +++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -0,0 +1,27 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- define "helm-toolkit.snippets.keystone_secret_openrc" }} +{{- $userClass := index . 0 -}} +{{- $identityEndpoint := index . 1 -}} +{{- $context := index . 2 -}} +{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }} +OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }} +OS_REGION_NAME: {{ $userContext.region_name | b64enc }} +OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }} +OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }} +OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} +OS_USERNAME: {{ $userContext.username | b64enc }} +OS_PASSWORD: {{ $userContext.password | b64enc }} +{{- end }} diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl index e0b6c7a1..b5ed6079 100644 --- a/keystone/templates/bin/_db-sync.sh.tpl +++ b/keystone/templates/bin/_db-sync.sh.tpl @@ -19,10 +19,10 @@ set -ex keystone-manage --config-file=/etc/keystone/keystone.conf db_sync keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \ - --bootstrap-username {{ .Values.keystone.admin_user }} \ - --bootstrap-password {{ .Values.keystone.admin_password }} \ - --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \ - --bootstrap-admin-url {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-public-url {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-internal-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \ - --bootstrap-region-id {{ .Values.keystone.admin_region_name }} + --bootstrap-username ${OS_USERNAME} \ + --bootstrap-password ${OS_PASSWORD} \ + --bootstrap-project-name ${OS_PROJECT_NAME} \ + --bootstrap-admin-url ${OS_BOOTSTRAP_ADMIN_URL} \ + --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \ + --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \ + --bootstrap-region-id ${OS_REGION_NAME} diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index e3997689..09da695d 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -14,7 +14,6 @@ {{- if .Values.bootstrap.enabled }} {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "keystone-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_keystone_bootstrap := .Values.mounts.keystone_bootstrap.keystone_bootstrap }} {{- $mounts_keystone_bootstrap_init := .Values.mounts.keystone_bootstrap.init_container }} @@ -45,7 +44,7 @@ spec: memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 50cd04a6..62695414 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -47,7 +47,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: keystone-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/keystone/keystone.conf diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index 2341b150..8300dc7f 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -43,6 +43,16 @@ spec: cpu: {{ .Values.resources.jobs.db_sync.requests.cpu | quote }} memory: {{ .Values.resources.jobs.db_sync.requests.memory | quote }} {{- end }} + env: + - name: OS_BOOTSTRAP_ADMIN_URL + value: {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OS_BOOTSTRAP_PUBLIC_URL + value: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OS_BOOTSTRAP_INTERNAL_URL + value: {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} command: - /tmp/db-sync.sh volumeMounts: diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml index 1f526e20..01340ef8 100644 --- a/keystone/templates/pod-rally-test.yaml +++ b/keystone/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "keystone-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_keystone_tests := .Values.mounts.keystone_tests.keystone_tests }} {{- $mounts_keystone_tests_init := .Values.mounts.keystone_tests.init_container }} @@ -42,7 +41,7 @@ spec: memory: {{ .Values.resources.tests.requests.memory | quote }} {{- end }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/keystone/templates/secret-db-root.env.yaml b/keystone/templates/secret-db-root.env.yaml deleted file mode 100644 index 4623037d..00000000 --- a/keystone/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: keystone-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/keystone/templates/secret-db.yaml b/keystone/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/keystone/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/keystone/templates/secret-keystone-admin.env.yaml b/keystone/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 3652bb7a..00000000 --- a/keystone/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: keystone-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/mistral/templates/secret-db-root.env.yaml b/keystone/templates/secret-keystone.yaml similarity index 68% rename from mistral/templates/secret-db-root.env.yaml rename to keystone/templates/secret-keystone.yaml index d9a3e873..032eec64 100644 --- a/mistral/templates/secret-db-root.env.yaml +++ b/keystone/templates/secret-keystone.yaml @@ -11,11 +11,15 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- apiVersion: v1 kind: Secret metadata: - name: mistral-db-root + name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index e87ca30b..205a2bee 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -48,14 +48,7 @@ termination_grace_period: timeout: 30 keystone: - version: v3 - scheme: http - admin_region_name: RegionOne - admin_user: admin - admin_password: password - admin_project_name: admin - admin_user_domain: default - admin_project_domain: default + bootstrap: enabled: true @@ -194,12 +187,28 @@ conf: enabled: true backend: dogpile.cache.memcached +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: keystone-keystone-admin + oslo_db: + admin: keystone-db-admin + user: keystone-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml index 51f7dac6..61bfa6c4 100644 --- a/magnum/templates/configmap-etc.yaml +++ b/magnum/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml index e696ea4d..29603a7f 100644 --- a/magnum/templates/job-db-init.yaml +++ b/magnum/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: magnum-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/magnum/magnum.conf diff --git a/magnum/templates/job-ks-endpoints.yaml b/magnum/templates/job-ks-endpoints.yaml index 726f953b..ed14f505 100644 --- a/magnum/templates/job-ks-endpoints.yaml +++ b/magnum/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/magnum/templates/job-ks-service.yaml b/magnum/templates/job-ks-service.yaml index 94283634..153645bf 100644 --- a/magnum/templates/job-ks-service.yaml +++ b/magnum/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/magnum/templates/job-ks-user.yaml b/magnum/templates/job-ks-user.yaml index 2f24ca11..4c7fae40 100644 --- a/magnum/templates/job-ks-user.yaml +++ b/magnum/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "magnum-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "magnum-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "magnum" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.magnum_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/magnum/templates/secret-db-root.env.yaml b/magnum/templates/secret-db-root.env.yaml deleted file mode 100644 index b7a2a353..00000000 --- a/magnum/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: magnum-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/magnum/templates/secret-db.yaml b/magnum/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/magnum/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/magnum/templates/secret-keystone-admin.env.yaml b/magnum/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f7956238..00000000 --- a/magnum/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/magnum/templates/secret-keystone-user.env.yaml b/magnum/templates/secret-keystone-user.env.yaml deleted file mode 100644 index ef461171..00000000 --- a/magnum/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/magnum/templates/secret-keystone.yaml b/magnum/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/magnum/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/magnum/values.yaml b/magnum/values.yaml index 27d54f89..1d7e69a6 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 conductor: 1 @@ -52,20 +51,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "magnum-env-keystone-admin" - user: "magnum-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - magnum_user_role: "admin" - conf: paste: override: @@ -146,12 +131,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: magnum-keystone-admin + user: magnum-keystone-user + oslo_db: + admin: magnum-db-admin + user: magnum-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: magnum + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml index 439555d9..95ee7cbb 100644 --- a/mistral/templates/configmap-etc.yaml +++ b/mistral/templates/configmap-etc.yaml @@ -22,6 +22,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml index fd595c2d..a1501920 100644 --- a/mistral/templates/job-db-init.yaml +++ b/mistral/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: mistral-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/mistral/mistral.conf diff --git a/mistral/templates/job-ks-endpoints.yaml b/mistral/templates/job-ks-endpoints.yaml index 7f43b08a..3595c535 100644 --- a/mistral/templates/job-ks-endpoints.yaml +++ b/mistral/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/mistral/templates/job-ks-service.yaml b/mistral/templates/job-ks-service.yaml index 04de18a5..8c14c374 100644 --- a/mistral/templates/job-ks-service.yaml +++ b/mistral/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/mistral/templates/job-ks-user.yaml b/mistral/templates/job-ks-user.yaml index bda79d5c..d8759d9e 100644 --- a/mistral/templates/job-ks-user.yaml +++ b/mistral/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "mistral-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "mistral" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.mistral_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/mistral/templates/secret-db.yaml b/mistral/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/mistral/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/mistral/templates/secret-keystone-admin.env.yaml b/mistral/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index b53c5817..00000000 --- a/mistral/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: mistral-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} - diff --git a/mistral/templates/secret-keystone-user.env.yaml b/mistral/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 47f6103b..00000000 --- a/mistral/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: mistral-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/mistral/templates/secret-keystone.yaml b/mistral/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/mistral/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/mistral/values.yaml b/mistral/values.yaml index a387b5bc..63faa4da 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 engine: 1 @@ -56,26 +55,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "mistral-env-keystone-admin" - user: "mistral-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - mistral_user: "mistral" - mistral_user_domain: "default" - mistral_user_role: "admin" - mistral_password: "password" - mistral_project_name: "service" - mistral_project_domain: "default" - mistral_region_name: "RegionOne" - network: api: ingress: @@ -150,12 +129,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: mistral-keystone-admin + user: mistral-keystone-user + oslo_db: + admin: mistral-db-admin + user: mistral-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: mistral + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 74533795..772c2f3d 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -33,6 +33,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end }} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end }} diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml index 333f6ed0..b17261ab 100644 --- a/neutron/templates/job-db-init.yaml +++ b/neutron/templates/job-db-init.yaml @@ -34,7 +34,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: neutron-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/neutron/neutron.conf diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml index d359ac9f..e64583f5 100644 --- a/neutron/templates/job-ks-endpoints.yaml +++ b/neutron/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml index 10025ce0..0479b807 100644 --- a/neutron/templates/job-ks-service.yaml +++ b/neutron/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index e9a80ca5..7dd56e04 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "neutron-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "neutron" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.neutron_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml index 5d7cd5c5..4a907014 100644 --- a/neutron/templates/pod-rally-test.yaml +++ b/neutron/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_neutron_tests := .Values.mounts.neutron_tests.neutron_tests }} {{- $mounts_neutron_tests_init := .Values.mounts.neutron_tests.init_container }} @@ -32,7 +31,7 @@ spec: - name: {{.Release.Name}}-token-issue-test image: {{ .Values.images.test }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/neutron/templates/secret-db-root.env.yaml b/neutron/templates/secret-db-root.env.yaml deleted file mode 100644 index ccdccb7d..00000000 --- a/neutron/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: neutron-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/neutron/templates/secret-db.yaml b/neutron/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/neutron/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/neutron/templates/secret-keystone-admin.env.yaml b/neutron/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 3d1bb0b4..00000000 --- a/neutron/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: neutron-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/neutron/templates/secret-keystone-user.env.yaml b/neutron/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 111ebdb4..00000000 --- a/neutron/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: neutron-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.neutron_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.neutron_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.neutron_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.neutron_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.neutron_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.neutron_password | b64enc | indent 4 }} diff --git a/neutron/templates/secret-keystone.yaml b/neutron/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/neutron/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 88e97d07..ba00367c 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -134,23 +134,6 @@ network: metadata: port: 8775 -keystone: - - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - neutron_user: "neutron" - neutron_user_domain: "default" - neutron_user_role: "admin" - neutron_password: "password" - neutron_project_name: "service" - neutron_project_domain: "default" - neutron_region_name: "RegionOne" - metadata: workers: 4 @@ -374,12 +357,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: neutron - password: password ml2_conf: override: append: @@ -488,6 +465,14 @@ conf: override: append: +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: neutron-keystone-admin + user: neutron-keystone-user + oslo_db: + admin: neutron-db-admin + user: neutron-db-user # typically overriden by environmental # values, but should include all endpoints @@ -548,6 +533,22 @@ endpoints: default: 6080 identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: neutron + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 391912ca..18d7a7a0 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index b2bf5b8e..a915711b 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_nova_bootstrap := .Values.mounts.nova_bootstrap.nova_bootstrap }} {{- $mounts_nova_bootstrap_init := .Values.mounts.nova_bootstrap.init_container }} @@ -45,7 +44,7 @@ spec: command: - /tmp/bootstrap.sh env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} volumeMounts: diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml index 228ce31d..999ca334 100644 --- a/nova/templates/job-db-init.yaml +++ b/nova/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: nova-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/nova/nova.conf @@ -80,7 +80,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: nova-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/nova/nova.conf diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml index 68902ea2..5d02a01c 100644 --- a/nova/templates/job-ks-endpoints.yaml +++ b/nova/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml index 60dbaf78..4bf06628 100644 --- a/nova/templates/job-ks-service.yaml +++ b/nova/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index 44de01b8..0e17dbca 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "nova-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "nova" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.nova_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml index ef1a4459..7ab40945 100644 --- a/nova/templates/pod-rally-test.yaml +++ b/nova/templates/pod-rally-test.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }} {{- $dependencies := .Values.dependencies.tests }} {{- $mounts_nova_tests := .Values.mounts.nova_tests.nova_tests }} {{- $mounts_nova_tests_init := .Values.mounts.nova_tests.init_container }} @@ -32,7 +31,7 @@ spec: - name: {{.Release.Name}}-token-issue-test image: {{ .Values.images.test }} env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: RALLY_ENV_NAME diff --git a/nova/templates/secret-db-api.yaml b/nova/templates/secret-db-api.yaml new file mode 100644 index 00000000..37025142 --- /dev/null +++ b/nova/templates/secret-db-api.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/nova/templates/secret-db-root.env.yaml b/nova/templates/secret-db-root.env.yaml deleted file mode 100644 index e5cfa657..00000000 --- a/nova/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: nova-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/nova/templates/secret-db.yaml b/nova/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/nova/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/nova/templates/secret-keystone-admin.env.yaml b/nova/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index 126f7e01..00000000 --- a/nova/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: nova-env-keystone-admin -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/nova/templates/secret-keystone-user.env.yaml b/nova/templates/secret-keystone-user.env.yaml deleted file mode 100644 index 26afb55a..00000000 --- a/nova/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: nova-env-keystone-user -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/nova/templates/secret-keystone.yaml b/nova/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/nova/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index 4579443f..51ec66e5 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -143,15 +143,6 @@ network: port: 6080 targetPort: 6080 -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - nova_user_role: "admin" - ceph: enabled: false monitors: [] @@ -416,12 +407,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_name: service - project_domain_name: default - user_domain_name: default - username: nova - password: password libvirt: nova: @@ -448,6 +433,17 @@ conf: conf: api_paste_config: /etc/nova/api-paste.ini +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: nova-keystone-admin + user: nova-keystone-user + oslo_db: + admin: nova-db-admin + user: nova-db-user + oslo_db_api: + admin: nova-db-api-admin + user: nova-db-api-user # typically overriden by environmental # values, but should include all endpoints @@ -506,6 +502,22 @@ endpoints: default: 11211 identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: nova + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml index bec615d3..4a3482a1 100644 --- a/senlin/templates/configmap-etc.yaml +++ b/senlin/templates/configmap-etc.yaml @@ -23,6 +23,25 @@ {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password -}} +{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}} {{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}} {{- end -}} diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml index 4b1f8b2a..a1cdfcd5 100644 --- a/senlin/templates/job-db-init.yaml +++ b/senlin/templates/job-db-init.yaml @@ -43,7 +43,7 @@ spec: - name: ROOT_DB_CONNECTION valueFrom: secretKeyRef: - name: senlin-db-root + name: {{ .Values.secrets.oslo_db.admin }} key: DB_CONNECTION - name: OPENSTACK_CONFIG_FILE value: /etc/senlin/senlin.conf diff --git a/senlin/templates/job-ks-endpoints.yaml b/senlin/templates/job-ks-endpoints.yaml index 5d307d92..bafe2d60 100644 --- a/senlin/templates/job-ks-endpoints.yaml +++ b/senlin/templates/job-ks-endpoints.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_endpoints }} apiVersion: batch/v1 kind: Job @@ -50,7 +49,7 @@ spec: subPath: ks-endpoints.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT diff --git a/senlin/templates/job-ks-service.yaml b/senlin/templates/job-ks-service.yaml index cf345a2c..016d026e 100644 --- a/senlin/templates/job-ks-service.yaml +++ b/senlin/templates/job-ks-service.yaml @@ -13,7 +13,6 @@ # limitations under the License. {{- $envAll := . }} -{{- $ksAdminSecret := .Values.keystone_secrets.admin }} {{- $dependencies := .Values.dependencies.ks_service }} apiVersion: batch/v1 kind: Job @@ -49,7 +48,7 @@ spec: subPath: ks-service.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME diff --git a/senlin/templates/job-ks-user.yaml b/senlin/templates/job-ks-user.yaml index 2d1a3655..2f2be1d6 100644 --- a/senlin/templates/job-ks-user.yaml +++ b/senlin/templates/job-ks-user.yaml @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- $ksAdminSecret := .Values.keystone.admin_secret | default "senlin-env-keystone-admin" }} -{{- $ksUserSecret := .Values.keystone.user_secret | default "senlin-env-keystone-user" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} apiVersion: batch/v1 @@ -49,16 +47,16 @@ spec: subPath: ks-user.sh readOnly: true env: -{{- with $env := dict "ksUserSecret" $ksAdminSecret }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME value: "senlin" -{{- with $env := dict "ksUserSecret" $ksUserSecret }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLE - value: {{ .Values.keystone.senlin_user_role | quote }} + value: {{ .Values.endpoints.identity.auth.user.role | quote }} volumes: - name: ks-user-sh configMap: diff --git a/senlin/templates/secret-db-root.env.yaml b/senlin/templates/secret-db-root.env.yaml deleted file mode 100644 index 020007c0..00000000 --- a/senlin/templates/secret-db-root.env.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: senlin-db-root -type: Opaque -data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} diff --git a/senlin/templates/secret-db.yaml b/senlin/templates/secret-db.yaml new file mode 100644 index 00000000..f8c9dffe --- /dev/null +++ b/senlin/templates/secret-db.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- end }} diff --git a/senlin/templates/secret-keystone-admin.env.yaml b/senlin/templates/secret-keystone-admin.env.yaml deleted file mode 100644 index f7956238..00000000 --- a/senlin/templates/secret-keystone-admin.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.admin }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.keystone.admin_region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.keystone.admin_project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.keystone.admin_user | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.keystone.admin_password | b64enc | indent 4 }} diff --git a/senlin/templates/secret-keystone-user.env.yaml b/senlin/templates/secret-keystone-user.env.yaml deleted file mode 100644 index a11f50c3..00000000 --- a/senlin/templates/secret-keystone-user.env.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Openstack-Helm Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.keystone_secrets.user }} -type: Opaque -data: - OS_AUTH_URL: | -{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} - OS_REGION_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }} - OS_PROJECT_DOMAIN_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }} - OS_PROJECT_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }} - OS_USER_DOMAIN_NAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }} - OS_USERNAME: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }} - OS_PASSWORD: | -{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }} diff --git a/senlin/templates/secret-keystone.yaml b/senlin/templates/secret-keystone.yaml new file mode 100644 index 00000000..2507c3b3 --- /dev/null +++ b/senlin/templates/secret-keystone.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" "user" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} diff --git a/senlin/values.yaml b/senlin/values.yaml index 1520e547..1bdcf0c4 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -17,7 +17,6 @@ # Declare name/value pairs to be passed into your templates. # name: value - replicas: api: 1 engine: 1 @@ -52,21 +51,6 @@ termination_grace_period: api: timeout: 30 -keystone_secrets: - admin: "senlin-env-keystone-admin" - user: "senlin-env-keystone-user" - -keystone: - admin_user: "admin" - admin_user_domain: "default" - admin_password: "password" - admin_project_name: "admin" - admin_project_domain: "default" - admin_region_name: "RegionOne" - - senlin_user_role: "admin" - - conf: paste: override: @@ -82,12 +66,6 @@ conf: auth_token: auth_type: password auth_version: v3 - region_name: RegionOne - project_domain_name: default - project_name: service - user_domain_name: default - username: senlin - password: password senlin_api: senlin: config: @@ -147,12 +125,37 @@ dependencies: - service: identity endpoint: internal +# Names of secrets used by bootstrap and environmental checks +secrets: + identity: + admin: senlin-keystone-admin + user: senlin-keystone-user + oslo_db: + admin: senlin-db-admin + user: senlin-db-user + # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: identity: name: keystone + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + user: + role: admin + region_name: RegionOne + username: senlin + password: password + project_name: service + user_domain_name: default + project_domain_name: default hosts: default: keystone-api public: keystone