diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml
index 1468de7cee..27654c7c19 100644
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@@ -20,6 +20,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml
index dd0f2667d4..fd8d901a78 100644
--- a/barbican/templates/job-db-init.yaml
+++ b/barbican/templates/job-db-init.yaml
@@ -41,7 +41,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: barbican-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/barbican/barbican.conf
diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml
index cb9cb2376a..86789f3ee7 100644
--- a/barbican/templates/job-ks-endpoints.yaml
+++ b/barbican/templates/job-ks-endpoints.yaml
@@ -11,7 +11,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "barbican-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -48,7 +47,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml
index f63c4565ca..2f6b2cad45 100644
--- a/barbican/templates/job-ks-service.yaml
+++ b/barbican/templates/job-ks-service.yaml
@@ -11,7 +11,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -47,7 +46,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml
index af526735b8..72956095d3 100644
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@@ -10,8 +10,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "barbican-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "barbican-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -47,16 +45,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "barbican"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.barbican_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/heat/templates/secret-keystone-stack-user.env.yaml b/barbican/templates/secret-db.yaml
similarity index 51%
rename from heat/templates/secret-keystone-stack-user.env.yaml
rename to barbican/templates/secret-db.yaml
index 18bdf9a7ee..f8c9dffe58 100644
--- a/heat/templates/secret-keystone-stack-user.env.yaml
+++ b/barbican/templates/secret-db.yaml
@@ -11,20 +11,15 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.keystone_secrets.stack }}
+ name: {{ $secretName }}
type: Opaque
data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.heat_stack_region_name | b64enc | indent 4 }}
- OS_DOMAIN_NAME: |
-{{ .Values.conf.heat.default.heat.common.config.stack_user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.heat.default.heat.common.config.stack_domain_admin_password | b64enc | indent 4 }}
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/barbican/templates/secret-keystone-admin.env.yaml b/barbican/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index 99e086ca62..0000000000
--- a/barbican/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: barbican-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/barbican/templates/secret-keystone-user.env.yaml b/barbican/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index a642f8eed3..0000000000
--- a/barbican/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: barbican-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/barbican/templates/secret-db-root.env.yaml b/barbican/templates/secret-keystone.yaml
similarity index 63%
rename from barbican/templates/secret-db-root.env.yaml
rename to barbican/templates/secret-keystone.yaml
index a3ff08516c..2507c3b3b8 100644
--- a/barbican/templates/secret-db-root.env.yaml
+++ b/barbican/templates/secret-keystone.yaml
@@ -1,3 +1,5 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
@@ -9,11 +11,15 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
apiVersion: v1
kind: Secret
metadata:
- name: barbican-db-root
+ name: {{ $secretName }}
type: Opaque
data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 2f707379f9..02aa941339 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -45,22 +45,6 @@ network:
enabled: false
port: 39486
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- barbican_user: "barbican"
- barbican_user_domain: "default"
- barbican_user_role: "admin"
- barbican_password: "password"
- barbican_project_name: "service"
- barbican_project_domain: "default"
- barbican_region_name: "RegionOne"
-
dependencies:
db_init:
services:
@@ -115,12 +99,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: barbican
- password: password
database:
oslo:
db:
@@ -130,9 +108,34 @@ conf:
config:
bind_port: 9311
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: barbican-keystone-admin
+ user: barbican-keystone-user
+ oslo_db:
+ admin: barbican-db-admin
+ user: barbican-db-user
+
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: barbican
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml
index 6446a281f4..b4217edb26 100644
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@@ -23,6 +23,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml
index 13cc3a856b..584616d95e 100644
--- a/cinder/templates/job-bootstrap.yaml
+++ b/cinder/templates/job-bootstrap.yaml
@@ -14,7 +14,6 @@
{{- if .Values.bootstrap.enabled }}
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.bootstrap }}
apiVersion: batch/v1
kind: Job
@@ -44,7 +43,7 @@ spec:
command:
- /tmp/bootstrap.sh
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
volumeMounts:
diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml
index 15f5b85108..37a00751e0 100644
--- a/cinder/templates/job-db-init.yaml
+++ b/cinder/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: cinder-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/cinder/cinder.conf
diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml
index 0cdfd2bc89..b10d4ee835 100644
--- a/cinder/templates/job-ks-endpoints.yaml
+++ b/cinder/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml
index 56ecfc1e26..2e4e0c2f3b 100644
--- a/cinder/templates/job-ks-service.yaml
+++ b/cinder/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml
index 521e9ea852..ea884376ba 100644
--- a/cinder/templates/job-ks-user.yaml
+++ b/cinder/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "cinder-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "cinder"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.cinder_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml
index 22b5648687..80caaaf399 100644
--- a/cinder/templates/pod-rally-test.yaml
+++ b/cinder/templates/pod-rally-test.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "cinder-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_cinder_tests := .Values.mounts.cinder_tests.cinder_tests }}
{{- $mounts_cinder_tests_init := .Values.mounts.cinder_tests.init_container }}
@@ -42,7 +41,7 @@ spec:
memory: {{ .Values.resources.tests.requests.memory | quote }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
diff --git a/cinder/templates/secret-db-root.env.yaml b/cinder/templates/secret-db-root.env.yaml
deleted file mode 100644
index 1af541d40c..0000000000
--- a/cinder/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: cinder-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/cinder/templates/secret-db.yaml b/cinder/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/cinder/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/cinder/templates/secret-keystone-admin.env.yaml b/cinder/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index f804604ff5..0000000000
--- a/cinder/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: cinder-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/cinder/templates/secret-keystone-user.env.yaml b/cinder/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 15457b23d2..0000000000
--- a/cinder/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: cinder-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/cinder/templates/secret-keystone.yaml b/cinder/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/cinder/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/cinder/values.yaml b/cinder/values.yaml
index b42e4aeb0d..d8b25798b1 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -67,15 +67,6 @@ bootstrap:
group:
volume_backend_name:
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
- cinder_user_role: "admin"
-
network:
api:
ingress:
@@ -129,12 +120,6 @@ conf:
auth_token:
auth_version: v3
auth_type: password
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: cinder
- password: password
oslo_concurrency:
oslo:
concurrency:
@@ -235,12 +220,37 @@ dependencies:
- service: volume
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: cinder-keystone-admin
+ user: cinder-keystone-user
+ oslo_db:
+ admin: cinder-db-admin
+ user: cinder-db-user
+
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
# services.
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: cinder
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
index c751b64f66..f4e1a2764f 100644
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@@ -29,6 +29,44 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
@@ -66,6 +104,7 @@
{{- tuple "image" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance.default.glance.api "public_endpoint" | quote | trunc 0 -}}
{{- end -}}
+
apiVersion: v1
kind: ConfigMap
metadata:
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index fd36e23def..eb52825dc7 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -13,8 +13,8 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.bootstrap }}
+---
apiVersion: batch/v1
kind: Job
metadata:
@@ -41,7 +41,7 @@ spec:
memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml
index 76c9ba820b..11518c854d 100644
--- a/glance/templates/job-db-init.yaml
+++ b/glance/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: glance-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/glance/glance-api.conf
diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml
index f163f4394d..401a3d0f47 100644
--- a/glance/templates/job-ks-endpoints.yaml
+++ b/glance/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "glance-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml
index aa6587cd1c..0b22ad26e7 100644
--- a/glance/templates/job-ks-service.yaml
+++ b/glance/templates/job-ks-service.yaml
@@ -11,10 +11,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
+---
apiVersion: batch/v1
kind: Job
metadata:
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml
index 9ffd431709..f9aa6224f5 100644
--- a/glance/templates/job-ks-user.yaml
+++ b/glance/templates/job-ks-user.yaml
@@ -11,11 +11,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "glance-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
+---
apiVersion: batch/v1
kind: Job
metadata:
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "glance"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.glance_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml
index f4d8d983f0..3e48c5c230 100644
--- a/glance/templates/pod-rally-test.yaml
+++ b/glance/templates/pod-rally-test.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "glance-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_glance_tests := .Values.mounts.glance_tests.glance_tests }}
{{- $mounts_glance_tests_init := .Values.mounts.glance_tests.init_container }}
@@ -42,7 +41,7 @@ spec:
memory: {{ .Values.resources.tests.requests.memory | quote }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
diff --git a/glance/templates/secret-db-root.env.yaml b/glance/templates/secret-db-root.env.yaml
deleted file mode 100644
index f01d1d90f5..0000000000
--- a/glance/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: glance-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/glance/templates/secret-db.yaml b/glance/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/glance/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/glance/templates/secret-keystone-admin.env.yaml b/glance/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index 0e57ce09db..0000000000
--- a/glance/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: glance-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/glance/templates/secret-keystone-user.env.yaml b/glance/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 30052ab7a0..0000000000
--- a/glance/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: glance-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/glance/templates/secret-keystone.yaml b/glance/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/glance/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/glance/values.yaml b/glance/values.yaml
index e5ed078bee..c5ba55dc68 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -76,16 +76,6 @@ bootstrap:
hypervisor_type: "qemu"
os_distro: "cirros"
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
- glance_user_role: "admin"
-
-
conf:
rally_tests:
override:
@@ -120,12 +110,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: glance
- password: password
glance_store:
glance:
store:
@@ -151,12 +135,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: glance
- password: password
network:
api:
@@ -296,12 +274,37 @@ dependencies:
- service: image
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: glance-keystone-admin
+ user: glance-keystone-user
+ oslo_db:
+ admin: glance-db-admin
+ user: glance-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: glance
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml
index 5097230d42..27dd71cd8e 100644
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@@ -23,6 +23,54 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.trustee.heat.common.context.region_name -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "region_name" .Values.endpoints.identity.auth.trustee.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.heat.common.context.project_name -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "project_name" .Values.endpoints.identity.auth.trustee.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.heat.common.context.project_domain_name -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "project_domain_name" .Values.endpoints.identity.auth.trustee.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.heat.common.context.user_domain_name -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "user_domain_name" .Values.endpoints.identity.auth.trustee.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.heat.common.context.username -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "username" .Values.endpoints.identity.auth.trustee.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.trustee.heat.common.context.password -}}
+{{- set .Values.conf.heat.trustee.heat.common.context "password" .Values.endpoints.identity.auth.trustee.password | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.heat.default.heat.common.config.stack_user_domain_name -}}
+{{- set .Values.conf.heat.default.heat.common.config "stack_user_domain_name" .Values.endpoints.identity.auth.stack_user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin -}}
+{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin" .Values.endpoints.identity.auth.stack_user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.heat.default.heat.common.config.stack_domain_admin_password -}}
+{{- set .Values.conf.heat.default.heat.common.config "stack_domain_admin_password" .Values.endpoints.identity.auth.stack_user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml
index 1693fbcc86..76162596b3 100644
--- a/heat/templates/job-db-init.yaml
+++ b/heat/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: heat-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/heat/heat.conf
diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml
index 9010a55daf..32892f4993 100644
--- a/heat/templates/job-ks-endpoints.yaml
+++ b/heat/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml
index 22de825ca8..b3e59fe8e2 100644
--- a/heat/templates/job-ks-service.yaml
+++ b/heat/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml
index f954fa2a9c..99f02a9c97 100644
--- a/heat/templates/job-ks-user.yaml
+++ b/heat/templates/job-ks-user.yaml
@@ -14,11 +14,7 @@
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
-{{- $ksUserSecret := .Values.keystone_secrets.user }}
# The heat user management job is a bit different from other services as it also needs to create a stack domain and trusts user
-{{- $ksTrusteeUserSecret := .Values.keystone_secrets.trustee }}
-{{- $ksStackUserSecret := .Values.keystone_secrets.stack }}
apiVersion: batch/v1
kind: Job
metadata:
@@ -52,21 +48,20 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "heat"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.heat_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
- name: heat-ks-trustee-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- - bash
- /tmp/ks-user.sh
volumeMounts:
- name: ks-user-sh
@@ -74,21 +69,20 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "heat"
-{{- with $env := dict "ksUserSecret" $ksTrusteeUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.trustee }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.heat_trustee_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.trustee.role | quote }}
- name: heat-ks-domain-user
image: {{ .Values.images.ks_user }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- - bash
- /tmp/ks-domain-user.sh
volumeMounts:
- name: ks-user-sh
@@ -96,7 +90,7 @@ spec:
subPath: ks-domain-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -104,25 +98,25 @@ spec:
- name: SERVICE_OS_REGION_NAME
valueFrom:
secretKeyRef:
- name: {{ $ksStackUserSecret }}
+ name: {{ .Values.secrets.identity.stack_user }}
key: OS_REGION_NAME
- name: SERVICE_OS_DOMAIN_NAME
valueFrom:
secretKeyRef:
- name: {{ $ksStackUserSecret }}
+ name: {{ .Values.secrets.identity.stack_user }}
key: OS_DOMAIN_NAME
- name: SERVICE_OS_USERNAME
valueFrom:
secretKeyRef:
- name: {{ $ksStackUserSecret }}
+ name: {{ .Values.secrets.identity.stack_user }}
key: OS_USERNAME
- name: SERVICE_OS_PASSWORD
valueFrom:
secretKeyRef:
- name: {{ $ksStackUserSecret }}
+ name: {{ .Values.secrets.identity.stack_user }}
key: OS_PASSWORD
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.heat_stack_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.stack_user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/heat/templates/secret-db-root.env.yaml b/heat/templates/secret-db-root.env.yaml
deleted file mode 100644
index a4fbce8621..0000000000
--- a/heat/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: heat-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/heat/templates/secret-db.yaml b/heat/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/heat/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/heat/templates/secret-keystone-admin.env.yaml b/heat/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index f795623847..0000000000
--- a/heat/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.admin }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone-trustee.env.yaml b/heat/templates/secret-keystone-trustee.env.yaml
deleted file mode 100644
index 3d92a70132..0000000000
--- a/heat/templates/secret-keystone-trustee.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.trustee }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.heat_trustee_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.heat.trustee.heat.common.context.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.heat.trustee.heat.common.context.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.heat.trustee.heat.common.context.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.heat.trustee.heat.common.context.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.heat.trustee.heat.common.context.password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone-user.env.yaml b/heat/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 77ac3a3ca7..0000000000
--- a/heat/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.user }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/heat/templates/secret-keystone.yaml b/heat/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..8be0183661
--- /dev/null
+++ b/heat/templates/secret-keystone.yaml
@@ -0,0 +1,37 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" "trustee" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $envAll.Values.secrets.identity.stack_user }}
+type: Opaque
+data:
+ OS_AUTH_URL: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
+ OS_REGION_NAME: {{ .Values.endpoints.identity.auth.stack_user.region_name | b64enc | indent 4 }}
+ OS_DOMAIN_NAME: {{ .Values.endpoints.identity.auth.stack_user.domain_name | b64enc | indent 4 }}
+ OS_USERNAME: {{ .Values.endpoints.identity.auth.stack_user.username | b64enc | indent 4 }}
+ OS_PASSWORD: {{ .Values.endpoints.identity.auth.stack_user.password | b64enc | indent 4 }}
diff --git a/heat/values.yaml b/heat/values.yaml
index 2a0e8eb122..a031425b41 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -64,29 +64,6 @@ termination_grace_period:
cloudwatch:
timeout: 30
-keystone_secrets:
- admin: "heat-env-keystone-admin"
- user: "heat-env-keystone-user"
- trustee: "heat-env-keystone-trustee"
- stack: "heat-env-keystone-stack-user"
-
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- heat_user_role: "admin"
-
- heat_trustee_role: "admin"
- heat_trustee_region_name: "RegionOne"
-
- heat_stack_user_role: "admin"
- heat_stack_region_name: "RegionOne"
-
-
conf:
paste:
override:
@@ -101,9 +78,6 @@ conf:
heat:
common:
config:
- stack_user_domain_name: heat
- stack_domain_admin: heat-domain
- stack_domain_admin_password: password
num_engine_workers: 4
trusts_delegated_roles: _member_
keystone_authtoken:
@@ -111,24 +85,12 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: heat
- password: password
trustee:
heat:
common:
context:
auth_section: trustee
auth_type: password
- password: password
- user_domain_name: default
- username: heat-trust
- project_domain_name: default
- project_name: service
- region_name: RegionOne
auth_version: v3
heat_api:
heat:
@@ -249,12 +211,53 @@ dependencies:
- service: identity
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: heat-keystone-admin
+ user: heat-keystone-user
+ trustee: heat-keystone-trustee
+ stack_user: heat-keystone-stack-user
+ oslo_db:
+ admin: heat-db-admin
+ user: heat-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: heat
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
+ trustee:
+ role: admin
+ region_name: RegionOne
+ username: heat-trust
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
+ stack_user:
+ role: admin
+ region_name: RegionOne
+ username: heat-trust
+ password: password
+ domain_name: heat
hosts:
default: keystone-api
public: keystone
diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000000..3229f6a30d
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,27 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+{{- end }}
diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl
index e0b6c7a185..b5ed607991 100644
--- a/keystone/templates/bin/_db-sync.sh.tpl
+++ b/keystone/templates/bin/_db-sync.sh.tpl
@@ -19,10 +19,10 @@ set -ex
keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
- --bootstrap-username {{ .Values.keystone.admin_user }} \
- --bootstrap-password {{ .Values.keystone.admin_password }} \
- --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \
- --bootstrap-admin-url {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \
- --bootstrap-public-url {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \
- --bootstrap-internal-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} \
- --bootstrap-region-id {{ .Values.keystone.admin_region_name }}
+ --bootstrap-username ${OS_USERNAME} \
+ --bootstrap-password ${OS_PASSWORD} \
+ --bootstrap-project-name ${OS_PROJECT_NAME} \
+ --bootstrap-admin-url ${OS_BOOTSTRAP_ADMIN_URL} \
+ --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \
+ --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \
+ --bootstrap-region-id ${OS_REGION_NAME}
diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml
index e399768982..09da695d85 100644
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@@ -14,7 +14,6 @@
{{- if .Values.bootstrap.enabled }}
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "keystone-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.bootstrap }}
{{- $mounts_keystone_bootstrap := .Values.mounts.keystone_bootstrap.keystone_bootstrap }}
{{- $mounts_keystone_bootstrap_init := .Values.mounts.keystone_bootstrap.init_container }}
@@ -45,7 +44,7 @@ spec:
memory: {{ .Values.resources.jobs.bootstrap.requests.memory | quote }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml
index 50cd04a6e2..626954146b 100644
--- a/keystone/templates/job-db-init.yaml
+++ b/keystone/templates/job-db-init.yaml
@@ -47,7 +47,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: keystone-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/keystone/keystone.conf
diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml
index 2341b150db..8300dc7f14 100644
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@@ -43,6 +43,16 @@ spec:
cpu: {{ .Values.resources.jobs.db_sync.requests.cpu | quote }}
memory: {{ .Values.resources.jobs.db_sync.requests.memory | quote }}
{{- end }}
+ env:
+ - name: OS_BOOTSTRAP_ADMIN_URL
+ value: {{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ - name: OS_BOOTSTRAP_PUBLIC_URL
+ value: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+ - name: OS_BOOTSTRAP_INTERNAL_URL
+ value: {{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
command:
- /tmp/db-sync.sh
volumeMounts:
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
index 1f526e2082..01340ef82a 100644
--- a/keystone/templates/pod-rally-test.yaml
+++ b/keystone/templates/pod-rally-test.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "keystone-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_keystone_tests := .Values.mounts.keystone_tests.keystone_tests }}
{{- $mounts_keystone_tests_init := .Values.mounts.keystone_tests.init_container }}
@@ -42,7 +41,7 @@ spec:
memory: {{ .Values.resources.tests.requests.memory | quote }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
diff --git a/keystone/templates/secret-db-root.env.yaml b/keystone/templates/secret-db-root.env.yaml
deleted file mode 100644
index 4623037da2..0000000000
--- a/keystone/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: keystone-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/keystone/templates/secret-db.yaml b/keystone/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/keystone/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/keystone/templates/secret-keystone-admin.env.yaml b/keystone/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index 3652bb7a13..0000000000
--- a/keystone/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: keystone-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/mistral/templates/secret-db-root.env.yaml b/keystone/templates/secret-keystone.yaml
similarity index 68%
rename from mistral/templates/secret-db-root.env.yaml
rename to keystone/templates/secret-keystone.yaml
index d9a3e8734a..032eec642c 100644
--- a/mistral/templates/secret-db-root.env.yaml
+++ b/keystone/templates/secret-keystone.yaml
@@ -11,11 +11,15 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
apiVersion: v1
kind: Secret
metadata:
- name: mistral-db-root
+ name: {{ $secretName }}
type: Opaque
data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index e87ca30bbc..205a2bee98 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -48,14 +48,7 @@ termination_grace_period:
timeout: 30
keystone:
- version: v3
- scheme: http
- admin_region_name: RegionOne
- admin_user: admin
- admin_password: password
- admin_project_name: admin
- admin_user_domain: default
- admin_project_domain: default
+
bootstrap:
enabled: true
@@ -194,12 +187,28 @@ conf:
enabled: true
backend: dogpile.cache.memcached
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: keystone-keystone-admin
+ oslo_db:
+ admin: keystone-db-admin
+ user: keystone-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml
index 51f7dac680..61bfa6c4a8 100644
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@@ -23,6 +23,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml
index e696ea4ded..29603a7fd3 100644
--- a/magnum/templates/job-db-init.yaml
+++ b/magnum/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: magnum-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/magnum/magnum.conf
diff --git a/magnum/templates/job-ks-endpoints.yaml b/magnum/templates/job-ks-endpoints.yaml
index 726f953bec..ed14f505e4 100644
--- a/magnum/templates/job-ks-endpoints.yaml
+++ b/magnum/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/magnum/templates/job-ks-service.yaml b/magnum/templates/job-ks-service.yaml
index 9428363473..153645bf6b 100644
--- a/magnum/templates/job-ks-service.yaml
+++ b/magnum/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/magnum/templates/job-ks-user.yaml b/magnum/templates/job-ks-user.yaml
index 2f24ca11bd..4c7fae4092 100644
--- a/magnum/templates/job-ks-user.yaml
+++ b/magnum/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "magnum-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "magnum-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "magnum"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.magnum_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/magnum/templates/secret-db-root.env.yaml b/magnum/templates/secret-db-root.env.yaml
deleted file mode 100644
index b7a2a35331..0000000000
--- a/magnum/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: magnum-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/magnum/templates/secret-db.yaml b/magnum/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/magnum/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/magnum/templates/secret-keystone-admin.env.yaml b/magnum/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index f795623847..0000000000
--- a/magnum/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.admin }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/magnum/templates/secret-keystone-user.env.yaml b/magnum/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index ef461171d4..0000000000
--- a/magnum/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.user }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/magnum/templates/secret-keystone.yaml b/magnum/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/magnum/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/magnum/values.yaml b/magnum/values.yaml
index 27d54f89b5..1d7e69a6f0 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -17,7 +17,6 @@
# Declare name/value pairs to be passed into your templates.
# name: value
-
replicas:
api: 1
conductor: 1
@@ -52,20 +51,6 @@ termination_grace_period:
api:
timeout: 30
-keystone_secrets:
- admin: "magnum-env-keystone-admin"
- user: "magnum-env-keystone-user"
-
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- magnum_user_role: "admin"
-
conf:
paste:
override:
@@ -146,12 +131,37 @@ dependencies:
- service: identity
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: magnum-keystone-admin
+ user: magnum-keystone-user
+ oslo_db:
+ admin: magnum-db-admin
+ user: magnum-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: magnum
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml
index 439555d90f..95ee7cbbb6 100644
--- a/mistral/templates/configmap-etc.yaml
+++ b/mistral/templates/configmap-etc.yaml
@@ -22,6 +22,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml
index fd595c2d55..a150192009 100644
--- a/mistral/templates/job-db-init.yaml
+++ b/mistral/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: mistral-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/mistral/mistral.conf
diff --git a/mistral/templates/job-ks-endpoints.yaml b/mistral/templates/job-ks-endpoints.yaml
index 7f43b08a58..3595c53550 100644
--- a/mistral/templates/job-ks-endpoints.yaml
+++ b/mistral/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "mistral-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/mistral/templates/job-ks-service.yaml b/mistral/templates/job-ks-service.yaml
index 04de18a594..8c14c3746c 100644
--- a/mistral/templates/job-ks-service.yaml
+++ b/mistral/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/mistral/templates/job-ks-user.yaml b/mistral/templates/job-ks-user.yaml
index bda79d5cb7..d8759d9ee0 100644
--- a/mistral/templates/job-ks-user.yaml
+++ b/mistral/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "mistral-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "mistral-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "mistral"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.mistral_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/mistral/templates/secret-db.yaml b/mistral/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/mistral/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/mistral/templates/secret-keystone-admin.env.yaml b/mistral/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index b53c5817a6..0000000000
--- a/mistral/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: mistral-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
-
diff --git a/mistral/templates/secret-keystone-user.env.yaml b/mistral/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 47f6103b5f..0000000000
--- a/mistral/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: mistral-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/mistral/templates/secret-keystone.yaml b/mistral/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/mistral/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/mistral/values.yaml b/mistral/values.yaml
index a387b5bc7a..63faa4da97 100644
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@@ -17,7 +17,6 @@
# Declare name/value pairs to be passed into your templates.
# name: value
-
replicas:
api: 1
engine: 1
@@ -56,26 +55,6 @@ termination_grace_period:
api:
timeout: 30
-keystone_secrets:
- admin: "mistral-env-keystone-admin"
- user: "mistral-env-keystone-user"
-
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- mistral_user: "mistral"
- mistral_user_domain: "default"
- mistral_user_role: "admin"
- mistral_password: "password"
- mistral_project_name: "service"
- mistral_project_domain: "default"
- mistral_region_name: "RegionOne"
-
network:
api:
ingress:
@@ -150,12 +129,37 @@ dependencies:
- service: identity
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: mistral-keystone-admin
+ user: mistral-keystone-user
+ oslo_db:
+ admin: mistral-db-admin
+ user: mistral-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: mistral
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml
index 7453379590..772c2f3d68 100644
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@@ -33,6 +33,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end }}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end }}
diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml
index 333f6ed0dd..b17261ab08 100644
--- a/neutron/templates/job-db-init.yaml
+++ b/neutron/templates/job-db-init.yaml
@@ -34,7 +34,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: neutron-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/neutron/neutron.conf
diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml
index d359ac9f87..e64583f5ec 100644
--- a/neutron/templates/job-ks-endpoints.yaml
+++ b/neutron/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "neutron-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml
index 10025ce037..0479b807b6 100644
--- a/neutron/templates/job-ks-service.yaml
+++ b/neutron/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml
index e9a80ca531..7dd56e0463 100644
--- a/neutron/templates/job-ks-user.yaml
+++ b/neutron/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "neutron-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "neutron"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.neutron_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml
index 5d7cd5c53f..4a9070141c 100644
--- a/neutron/templates/pod-rally-test.yaml
+++ b/neutron/templates/pod-rally-test.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "neutron-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_neutron_tests := .Values.mounts.neutron_tests.neutron_tests }}
{{- $mounts_neutron_tests_init := .Values.mounts.neutron_tests.init_container }}
@@ -32,7 +31,7 @@ spec:
- name: {{.Release.Name}}-token-issue-test
image: {{ .Values.images.test }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
diff --git a/neutron/templates/secret-db-root.env.yaml b/neutron/templates/secret-db-root.env.yaml
deleted file mode 100644
index ccdccb7d85..0000000000
--- a/neutron/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: neutron-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/neutron/templates/secret-db.yaml b/neutron/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/neutron/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/neutron/templates/secret-keystone-admin.env.yaml b/neutron/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index 3d1bb0b48d..0000000000
--- a/neutron/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: neutron-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/neutron/templates/secret-keystone-user.env.yaml b/neutron/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 111ebdb45e..0000000000
--- a/neutron/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: neutron-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.neutron_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.neutron_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.neutron_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.neutron_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.neutron_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.neutron_password | b64enc | indent 4 }}
diff --git a/neutron/templates/secret-keystone.yaml b/neutron/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/neutron/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 88e97d0768..ba00367cbb 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -134,23 +134,6 @@ network:
metadata:
port: 8775
-keystone:
-
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- neutron_user: "neutron"
- neutron_user_domain: "default"
- neutron_user_role: "admin"
- neutron_password: "password"
- neutron_project_name: "service"
- neutron_project_domain: "default"
- neutron_region_name: "RegionOne"
-
metadata:
workers: 4
@@ -374,12 +357,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: neutron
- password: password
ml2_conf:
override:
append:
@@ -488,6 +465,14 @@ conf:
override:
append:
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: neutron-keystone-admin
+ user: neutron-keystone-user
+ oslo_db:
+ admin: neutron-db-admin
+ user: neutron-db-user
# typically overriden by environmental
# values, but should include all endpoints
@@ -548,6 +533,22 @@ endpoints:
default: 6080
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: neutron
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml
index 391912ca71..18d7a7a06d 100644
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@@ -23,6 +23,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
index b2bf5b8e13..a915711b76 100644
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.bootstrap }}
{{- $mounts_nova_bootstrap := .Values.mounts.nova_bootstrap.nova_bootstrap }}
{{- $mounts_nova_bootstrap_init := .Values.mounts.nova_bootstrap.init_container }}
@@ -45,7 +44,7 @@ spec:
command:
- /tmp/bootstrap.sh
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
volumeMounts:
diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml
index 228ce31da9..999ca334c8 100644
--- a/nova/templates/job-db-init.yaml
+++ b/nova/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: nova-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/nova/nova.conf
@@ -80,7 +80,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: nova-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/nova/nova.conf
diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml
index 68902ea2b8..5d02a01cd5 100644
--- a/nova/templates/job-ks-endpoints.yaml
+++ b/nova/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := $envAll.Values.keystone.admin_secret | default "nova-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml
index 60dbaf78e2..4bf0662899 100644
--- a/nova/templates/job-ks-service.yaml
+++ b/nova/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml
index 44de01b8a5..0e17dbcaaf 100644
--- a/nova/templates/job-ks-user.yaml
+++ b/nova/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "nova-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "nova"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.nova_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml
index ef1a44591e..7ab4094525 100644
--- a/nova/templates/pod-rally-test.yaml
+++ b/nova/templates/pod-rally-test.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "nova-env-keystone-admin" }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_nova_tests := .Values.mounts.nova_tests.nova_tests }}
{{- $mounts_nova_tests_init := .Values.mounts.nova_tests.init_container }}
@@ -32,7 +31,7 @@ spec:
- name: {{.Release.Name}}-token-issue-test
image: {{ .Values.images.test }}
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
diff --git a/nova/templates/secret-db-api.yaml b/nova/templates/secret-db-api.yaml
new file mode 100644
index 0000000000..3702514281
--- /dev/null
+++ b/nova/templates/secret-db-api.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/nova/templates/secret-db-root.env.yaml b/nova/templates/secret-db-root.env.yaml
deleted file mode 100644
index e5cfa657c8..0000000000
--- a/nova/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: nova-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/nova/templates/secret-db.yaml b/nova/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/nova/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/nova/templates/secret-keystone-admin.env.yaml b/nova/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index 126f7e01f8..0000000000
--- a/nova/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: nova-env-keystone-admin
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/nova/templates/secret-keystone-user.env.yaml b/nova/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index 26afb55a50..0000000000
--- a/nova/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: nova-env-keystone-user
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/nova/templates/secret-keystone.yaml b/nova/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/nova/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/nova/values.yaml b/nova/values.yaml
index 4579443f3c..51ec66e5df 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -143,15 +143,6 @@ network:
port: 6080
targetPort: 6080
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
- nova_user_role: "admin"
-
ceph:
enabled: false
monitors: []
@@ -416,12 +407,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_name: service
- project_domain_name: default
- user_domain_name: default
- username: nova
- password: password
libvirt:
nova:
@@ -448,6 +433,17 @@ conf:
conf:
api_paste_config: /etc/nova/api-paste.ini
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: nova-keystone-admin
+ user: nova-keystone-user
+ oslo_db:
+ admin: nova-db-admin
+ user: nova-db-user
+ oslo_db_api:
+ admin: nova-db-api-admin
+ user: nova-db-api-user
# typically overriden by environmental
# values, but should include all endpoints
@@ -506,6 +502,22 @@ endpoints:
default: 11211
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: nova
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone
diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml
index bec615d3a4..4a3482a116 100644
--- a/senlin/templates/configmap-etc.yaml
+++ b/senlin/templates/configmap-etc.yaml
@@ -23,6 +23,25 @@
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "project_domain_name" .Values.endpoints.identity.auth.user.project_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "user_domain_name" .Values.endpoints.identity.auth.user.user_domain_name | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "username" .Values.endpoints.identity.auth.user.username | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password -}}
+{{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "password" .Values.endpoints.identity.auth.user.password | quote | trunc 0 -}}
+{{- end -}}
+
{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml
index 4b1f8b2a18..a1cdfcd576 100644
--- a/senlin/templates/job-db-init.yaml
+++ b/senlin/templates/job-db-init.yaml
@@ -43,7 +43,7 @@ spec:
- name: ROOT_DB_CONNECTION
valueFrom:
secretKeyRef:
- name: senlin-db-root
+ name: {{ .Values.secrets.oslo_db.admin }}
key: DB_CONNECTION
- name: OPENSTACK_CONFIG_FILE
value: /etc/senlin/senlin.conf
diff --git a/senlin/templates/job-ks-endpoints.yaml b/senlin/templates/job-ks-endpoints.yaml
index 5d307d92da..bafe2d6057 100644
--- a/senlin/templates/job-ks-endpoints.yaml
+++ b/senlin/templates/job-ks-endpoints.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_endpoints }}
apiVersion: batch/v1
kind: Job
@@ -50,7 +49,7 @@ spec:
subPath: ks-endpoints.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
diff --git a/senlin/templates/job-ks-service.yaml b/senlin/templates/job-ks-service.yaml
index cf345a2c88..016d026ef3 100644
--- a/senlin/templates/job-ks-service.yaml
+++ b/senlin/templates/job-ks-service.yaml
@@ -13,7 +13,6 @@
# limitations under the License.
{{- $envAll := . }}
-{{- $ksAdminSecret := .Values.keystone_secrets.admin }}
{{- $dependencies := .Values.dependencies.ks_service }}
apiVersion: batch/v1
kind: Job
@@ -49,7 +48,7 @@ spec:
subPath: ks-service.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
diff --git a/senlin/templates/job-ks-user.yaml b/senlin/templates/job-ks-user.yaml
index 2d1a3655e0..2f2be1d690 100644
--- a/senlin/templates/job-ks-user.yaml
+++ b/senlin/templates/job-ks-user.yaml
@@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- $ksAdminSecret := .Values.keystone.admin_secret | default "senlin-env-keystone-admin" }}
-{{- $ksUserSecret := .Values.keystone.user_secret | default "senlin-env-keystone-user" }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }}
apiVersion: batch/v1
@@ -49,16 +47,16 @@ spec:
subPath: ks-user.sh
readOnly: true
env:
-{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
value: "senlin"
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLE
- value: {{ .Values.keystone.senlin_user_role | quote }}
+ value: {{ .Values.endpoints.identity.auth.user.role | quote }}
volumes:
- name: ks-user-sh
configMap:
diff --git a/senlin/templates/secret-db-root.env.yaml b/senlin/templates/secret-db-root.env.yaml
deleted file mode 100644
index 020007c025..0000000000
--- a/senlin/templates/secret-db-root.env.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: senlin-db-root
-type: Opaque
-data:
- DB_CONNECTION: {{ tuple "oslo_db" "internal" "admin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }}
diff --git a/senlin/templates/secret-db.yaml b/senlin/templates/secret-db.yaml
new file mode 100644
index 0000000000..f8c9dffe58
--- /dev/null
+++ b/senlin/templates/secret-db.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+ DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- end }}
diff --git a/senlin/templates/secret-keystone-admin.env.yaml b/senlin/templates/secret-keystone-admin.env.yaml
deleted file mode 100644
index f795623847..0000000000
--- a/senlin/templates/secret-keystone-admin.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.admin }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.keystone.admin_region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.admin_project_domain | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.keystone.admin_project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.admin_user_domain | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.keystone.admin_user | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.keystone.admin_password | b64enc | indent 4 }}
diff --git a/senlin/templates/secret-keystone-user.env.yaml b/senlin/templates/secret-keystone-user.env.yaml
deleted file mode 100644
index a11f50c37d..0000000000
--- a/senlin/templates/secret-keystone-user.env.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.keystone_secrets.user }}
-type: Opaque
-data:
- OS_AUTH_URL: |
-{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
- OS_REGION_NAME: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
- OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
- OS_PROJECT_NAME: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
- OS_USER_DOMAIN_NAME: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
- OS_USERNAME: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
- OS_PASSWORD: |
-{{ .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}
diff --git a/senlin/templates/secret-keystone.yaml b/senlin/templates/secret-keystone.yaml
new file mode 100644
index 0000000000..2507c3b3b8
--- /dev/null
+++ b/senlin/templates/secret-keystone.yaml
@@ -0,0 +1,25 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" "user" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
diff --git a/senlin/values.yaml b/senlin/values.yaml
index 1520e5477f..1bdcf0c497 100644
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@@ -17,7 +17,6 @@
# Declare name/value pairs to be passed into your templates.
# name: value
-
replicas:
api: 1
engine: 1
@@ -52,21 +51,6 @@ termination_grace_period:
api:
timeout: 30
-keystone_secrets:
- admin: "senlin-env-keystone-admin"
- user: "senlin-env-keystone-user"
-
-keystone:
- admin_user: "admin"
- admin_user_domain: "default"
- admin_password: "password"
- admin_project_name: "admin"
- admin_project_domain: "default"
- admin_region_name: "RegionOne"
-
- senlin_user_role: "admin"
-
-
conf:
paste:
override:
@@ -82,12 +66,6 @@ conf:
auth_token:
auth_type: password
auth_version: v3
- region_name: RegionOne
- project_domain_name: default
- project_name: service
- user_domain_name: default
- username: senlin
- password: password
senlin_api:
senlin:
config:
@@ -147,12 +125,37 @@ dependencies:
- service: identity
endpoint: internal
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+ identity:
+ admin: senlin-keystone-admin
+ user: senlin-keystone-user
+ oslo_db:
+ admin: senlin-db-admin
+ user: senlin-db-user
+
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
identity:
name: keystone
+ auth:
+ admin:
+ region_name: RegionOne
+ username: admin
+ password: password
+ project_name: admin
+ user_domain_name: default
+ project_domain_name: default
+ user:
+ role: admin
+ region_name: RegionOne
+ username: senlin
+ password: password
+ project_name: service
+ user_domain_name: default
+ project_domain_name: default
hosts:
default: keystone-api
public: keystone