Merge "Charts to use their own service accounts"
This commit is contained in:
Zuul
@@ -54,22 +54,22 @@ limitations under the License.
|
||||
{{- end }}
|
||||
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.region_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.cinder.region_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "region_name" $envAll.Values.endpoints.identity.auth.nova.region_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.project_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.cinder.project_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "project_name" $envAll.Values.endpoints.identity.auth.nova.project_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.project_domain_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.cinder.project_domain_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "project_domain_name" $envAll.Values.endpoints.identity.auth.nova.project_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.user_domain_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.cinder.user_domain_name -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "user_domain_name" $envAll.Values.endpoints.identity.auth.nova.user_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.username -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.cinder.username -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "username" $envAll.Values.endpoints.identity.auth.nova.username -}}
|
||||
{{- end -}}
|
||||
{{- if empty $envAll.Values.conf.cinder.nova.password -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.cinder.password -}}
|
||||
{{- $_ := set $envAll.Values.conf.cinder.nova "password" $envAll.Values.endpoints.identity.auth.nova.password -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.cinder.database.connection -}}
|
||||
@@ -97,19 +97,19 @@ limitations under the License.
|
||||
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.DEFAULT "backup_swift_auth_url" -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user_domain -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user_domain" .Values.endpoints.identity.auth.swift.user_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_user -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.cinder.username -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_user" .Values.endpoints.identity.auth.swift.username -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_key -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.cinder.password -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_key" .Values.endpoints.identity.auth.swift.password -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project_domain -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project_domain" .Values.endpoints.identity.auth.swift.project_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.backup_swift_project -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.cinder.project_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "backup_swift_project" .Values.endpoints.identity.auth.swift.project_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.swift_catalog_info -}}
|
||||
{{- $_ := set .Values.conf.cinder.DEFAULT "swift_catalog_info" "object-store:swift:internalURL" -}}
|
||||
@@ -125,22 +125,22 @@ limitations under the License.
|
||||
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.cinder.service_user "auth_url" -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.region_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.cinder.region_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.project_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.cinder.project_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.project_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.cinder.project_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.user_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.cinder.user_domain_name -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.username -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.cinder.username -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "username" .Values.endpoints.identity.auth.service.username -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.cinder.service_user.password -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.cinder.password -}}
|
||||
{{- $_ := set .Values.conf.cinder.service_user "password" .Values.endpoints.identity.auth.service.password -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
|
||||
{{- $serviceUsers := (tuple "cinder" "nova") -}}
|
||||
{{- if (contains "cinder.backup.drivers.swift" .Values.conf.cinder.DEFAULT.backup_driver) }}
|
||||
{{- $serviceUsers = append $serviceUsers "swift" -}}
|
||||
{{- end }}
|
||||
{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
|
||||
{{- $serviceUsers = append $serviceUsers "service" -}}
|
||||
{{- end }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" "serviceUsers" $serviceUsers -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.secret_keystone }}
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "cinder" "test" }}
|
||||
{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
|
||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
|
||||
@@ -1243,6 +1243,9 @@ secrets:
|
||||
identity:
|
||||
admin: cinder-keystone-admin
|
||||
cinder: cinder-keystone-user
|
||||
nova: cinder-keystone-nova
|
||||
swift: cinder-keystone-swift
|
||||
service: cinder-keystone-service
|
||||
test: cinder-keystone-test
|
||||
oslo_db:
|
||||
admin: cinder-db-admin
|
||||
@@ -1312,6 +1315,30 @@ endpoints:
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
nova:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: cinder_nova
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
swift:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: cinder_swift
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
service:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: cinder_service_user
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
test:
|
||||
role: admin
|
||||
region_name: RegionOne
|
||||
|
||||
@@ -18,7 +18,14 @@ helm.sh/hook-weight: "-1"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
|
||||
{{- $serviceUsers := (tuple "neutron" "nova" "placement") -}}
|
||||
{{- if eq (.Values.conf.neutron.DEFAULT.external_dns_driver | default "") "designate" -}}
|
||||
{{- $serviceUsers = append $serviceUsers "designate" -}}
|
||||
{{- end -}}
|
||||
{{- if (has "baremetal" .Values.network.backend) -}}
|
||||
{{- $serviceUsers = append $serviceUsers "ironic" -}}
|
||||
{{- end -}}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" "serviceUsers" $serviceUsers -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.secret_keystone }}
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "neutron" "test" }}
|
||||
{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
|
||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
|
||||
@@ -2316,6 +2316,10 @@ secrets:
|
||||
identity:
|
||||
admin: neutron-keystone-admin
|
||||
neutron: neutron-keystone-user
|
||||
nova: neutron-keystone-nova
|
||||
placement: neutron-keystone-placement
|
||||
designate: neutron-keystone-designate
|
||||
ironic: neutron-keystone-ironic
|
||||
test: neutron-keystone-test
|
||||
oslo_db:
|
||||
admin: neutron-db-admin
|
||||
@@ -2477,30 +2481,34 @@ endpoints:
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
nova:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: nova
|
||||
username: neutron_nova
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
placement:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: placement
|
||||
username: neutron_placement
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
designate:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: designate
|
||||
username: neutron_designate
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
ironic:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
username: ironic
|
||||
username: neutron_ironic
|
||||
password: password
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
|
||||
@@ -61,22 +61,22 @@ limitations under the License.
|
||||
{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.nova.service_user "auth_url" -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.region_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.nova.region_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "region_name" .Values.endpoints.identity.auth.service.region_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.project_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.nova.project_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "project_name" .Values.endpoints.identity.auth.service.project_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.project_domain_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.nova.project_domain_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "project_domain_name" .Values.endpoints.identity.auth.service.project_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.user_domain_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.nova.user_domain_name -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "user_domain_name" .Values.endpoints.identity.auth.service.user_domain_name -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.username -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.nova.username -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "username" .Values.endpoints.identity.auth.service.username -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.nova.service_user.password -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.nova.password -}}
|
||||
{{- $_ := set .Values.conf.nova.service_user "password" .Values.endpoints.identity.auth.service.password -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- end -}}
|
||||
|
||||
@@ -18,7 +18,11 @@ helm.sh/hook-weight: "-1"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
|
||||
{{- $serviceUsers := (tuple "nova" "neutron" "placement" "ironic" "cinder") -}}
|
||||
{{- if .Values.conf.nova.service_user.send_service_user_token }}
|
||||
{{- $serviceUsers = append $serviceUsers "service" -}}
|
||||
{{- end }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" "serviceUsers" $serviceUsers -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.secret_keystone }}
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "nova" "test" }}
|
||||
{{- range $userClass, $val := $envAll.Values.endpoints.identity.auth }}
|
||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||
---
|
||||
apiVersion: v1
|
||||
|
||||
@@ -1641,6 +1641,11 @@ secrets:
|
||||
identity:
|
||||
admin: nova-keystone-admin
|
||||
nova: nova-keystone-user
|
||||
neutron: nova-keystone-neutron
|
||||
placement: nova-keystone-placement
|
||||
cinder: nova-keystone-cinder
|
||||
ironic: nova-keystone-ironic
|
||||
service: nova-keystone-service
|
||||
test: nova-keystone-test
|
||||
oslo_db:
|
||||
admin: nova-db-admin
|
||||
@@ -1824,30 +1829,40 @@ endpoints:
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
service:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
username: nova_service_user
|
||||
password: password
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
# NOTE(portdirect): the neutron user is not managed by the nova chart
|
||||
# these values should match those set in the neutron chart.
|
||||
neutron:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
username: neutron
|
||||
username: nova_neutron
|
||||
password: password
|
||||
# NOTE(portdirect): the ironic user is not managed by the nova chart
|
||||
# these values should match those set in the ironic chart.
|
||||
ironic:
|
||||
role: admin,service
|
||||
auth_type: password
|
||||
auth_version: v3
|
||||
region_name: RegionOne
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
project_domain_name: service
|
||||
username: ironic
|
||||
username: nova_ironic
|
||||
password: password
|
||||
placement:
|
||||
role: admin
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
username: placement
|
||||
username: nova_placement
|
||||
password: password
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
@@ -1855,7 +1870,7 @@ endpoints:
|
||||
cinder:
|
||||
role: admin,service
|
||||
region_name: RegionOne
|
||||
username: cinder
|
||||
username: nova_cinder
|
||||
password: password
|
||||
project_name: service
|
||||
user_domain_name: service
|
||||
|
||||
6
releasenotes/notes/neutron-2d4db97bc8900286.yaml
Normal file
6
releasenotes/notes/neutron-2d4db97bc8900286.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
---
|
||||
neutron:
|
||||
- |
|
||||
Create multiple Keystone service accounts to access to
|
||||
other Openstack APIs
|
||||
...
|
||||
Reference in New Issue
Block a user