diff --git a/components/glance/glance-mariadb-db.yaml b/components/glance/glance-mariadb-db.yaml index 81ec18d06..17607126e 100644 --- a/components/glance/glance-mariadb-db.yaml +++ b/components/glance/glance-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: glance-db-conn +spec: + mariaDbRef: + name: mariadb + username: glance + passwordSecretKeyRef: + name: glance-db-password + key: password + database: glance + secretName: glance-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/glance/values.yaml b/components/glance/values.yaml index 27f9b4b11..a6903dcdb 100644 --- a/components/glance/values.yaml +++ b/components/glance/values.yaml @@ -89,6 +89,38 @@ pod: periodSeconds: 10 timeoutSeconds: 8 failureThreshold: 6 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + glance_api: + glance_api: + volumeMounts: + - mountPath: /etc/glance/glance.conf.d/db_conn.conf + name: glance-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: glance-db-conn + secret: + secretName: glance-db-conn + glance_db_sync: + glance_db_sync: + volumeMounts: + - mountPath: /etc/glance/glance.conf.d/db_conn.conf + name: glance-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: glance-db-conn + secret: + secretName: glance-db-conn conf: glance_api_uwsgi: diff --git a/components/horizon/horizon-mariadb-db.yaml b/components/horizon/horizon-mariadb-db.yaml index 0301c3717..c7f8ad13b 100644 --- a/components/horizon/horizon-mariadb-db.yaml +++ b/components/horizon/horizon-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: horizon-db-conn +spec: + mariaDbRef: + name: mariadb + username: horizon + passwordSecretKeyRef: + name: horizon-db-password + key: password + database: horizon + secretName: horizon-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/horizon/values.yaml b/components/horizon/values.yaml index b85000b76..97a29beed 100644 --- a/components/horizon/values.yaml +++ b/components/horizon/values.yaml @@ -76,6 +76,38 @@ pod: # this should be set to no more than (pod.replicas.horizon - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + horizon: + horizon: + volumeMounts: + - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf + name: horizon-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: horizon-db-conn + secret: + secretName: horizon-db-conn + horizon_db_sync: + horizon_db_sync: + volumeMounts: + - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf + name: horizon-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: horizon-db-conn + secret: + secretName: horizon-db-conn # We don't want to enable OpenStack Helm's # helm.sh/hooks because they set them as diff --git a/components/ironic/ironic-mariadb-db.yaml b/components/ironic/ironic-mariadb-db.yaml index 00826af14..b9708ca91 100644 --- a/components/ironic/ironic-mariadb-db.yaml +++ b/components/ironic/ironic-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: ironic-db-conn +spec: + mariaDbRef: + name: mariadb + username: ironic + passwordSecretKeyRef: + name: ironic-db-password + key: password + database: ironic + secretName: ironic-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/ironic/values.yaml b/components/ironic/values.yaml index f0fd123e7..f475069b9 100644 --- a/components/ironic/values.yaml +++ b/components/ironic/values.yaml @@ -169,9 +169,44 @@ manifests: pod: mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + ironic_api: + ironic_api: + volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn + ironic_db_sync: + ironic_db_sync: + volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn ironic_conductor: ironic_conductor: volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true - name: dnsmasq-ironic mountPath: /etc/dnsmasq.d/ - name: dnsmasq-dhcp @@ -179,6 +214,9 @@ pod: - name: understack-data mountPath: /var/lib/understack volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn - name: dnsmasq-ironic persistentVolumeClaim: claimName: dnsmasq-ironic diff --git a/components/keystone/keystone-mariadb-db.yaml b/components/keystone/keystone-mariadb-db.yaml index f044959c1..c7242a50e 100644 --- a/components/keystone/keystone-mariadb-db.yaml +++ b/components/keystone/keystone-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: keystone-db-conn +spec: + mariaDbRef: + name: mariadb + username: keystone + passwordSecretKeyRef: + name: keystone-db-password + key: password + database: keystone + secretName: keystone-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml index 9c28a2383..e4204da45 100644 --- a/components/keystone/values.yaml +++ b/components/keystone/values.yaml @@ -225,6 +225,10 @@ pod: keystone_api: keystone_api: volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true - name: keystone-sso mountPath: /etc/keystone-sso readOnly: true @@ -232,12 +236,92 @@ pod: mountPath: /etc/oidc-secret readOnly: true volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn - name: keystone-sso secret: secretName: keystone-sso - name: oidc-secret secret: secretName: sso-passphrase + keystone_db_sync: + keystone_db_sync: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_setup: + keystone_credential_setup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_fernet_setup: + keystone_fernet_setup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_rotate: + keystone_credential_rotate: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_fernet_rotate: + keystone_fernet_rotate: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_cleanup: + keystone_credential_cleanup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_domain_manage: + keystone_domain_manage: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn replicas: api: 2 lifecycle: diff --git a/components/neutron/neutron-mariadb-db.yaml b/components/neutron/neutron-mariadb-db.yaml index ac07b24fc..54a79e5a4 100644 --- a/components/neutron/neutron-mariadb-db.yaml +++ b/components/neutron/neutron-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: neutron-db-conn +spec: + mariaDbRef: + name: mariadb + username: neutron + passwordSecretKeyRef: + name: neutron-db-password + key: password + database: neutron + secretName: neutron-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/neutron/values.yaml b/components/neutron/values.yaml index 1ac0bb9f6..ba2dbb37e 100644 --- a/components/neutron/values.yaml +++ b/components/neutron/values.yaml @@ -92,18 +92,22 @@ pod: # usually set on per-deployment basis. min_available: 0 mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one neutron_server: neutron_server: volumeMounts: - # oslo.config autoloads certain paths in alphabetical order - # which gives us the opportunity to inject secrets and extra - # configs here. likely the best paths are: - # /etc/${project}/${prog}.conf.d/*.conf - # /etc/${project}/${project}.conf.d/*.conf - # the first would be best for per service separation but since each - # service is in its own pod they won't overlap. further more there - # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 - # so we'll use the bottom one + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true - mountPath: /etc/neutron/neutron.conf.d/ml2_understack.conf name: neutron-nautobot subPath: ml2_understack.conf @@ -112,12 +116,38 @@ pod: name: undersync-token readOnly: true volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn - name: neutron-nautobot secret: secretName: neutron-nautobot - name: undersync-token secret: secretName: undersync-token + neutron_ironic_agent: + neutron_ironic_agent: + volumeMounts: + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn + neutron_db_sync: + neutron_db_sync: + volumeMounts: + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn + # (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job. dependencies: dynamic: diff --git a/components/nova/nova-api-mariadb-db.yaml b/components/nova/nova-api-mariadb-db.yaml index 237d263c4..f86251f29 100644 --- a/components/nova/nova-api-mariadb-db.yaml +++ b/components/nova/nova-api-mariadb-db.yaml @@ -30,3 +30,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-api-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova_api + secretName: nova-api-db-conn + secretTemplate: + key: db_conn.conf + format: | + [api_database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/nova-cell0-mariadb-db.yaml b/components/nova/nova-cell0-mariadb-db.yaml index fa4ce3f78..7747ab8d3 100644 --- a/components/nova/nova-cell0-mariadb-db.yaml +++ b/components/nova/nova-cell0-mariadb-db.yaml @@ -30,3 +30,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-cell0-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova_cell0 + secretName: nova-cell0-db-conn + secretTemplate: + key: db_conn.conf + format: | + [cell0_database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/nova-mariadb-db.yaml b/components/nova/nova-mariadb-db.yaml index 845c0f8ec..17e0435fd 100644 --- a/components/nova/nova-mariadb-db.yaml +++ b/components/nova/nova-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova + secretName: nova-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/values.yaml b/components/nova/values.yaml index 723f29036..7b7f40ed5 100644 --- a/components/nova/values.yaml +++ b/components/nova/values.yaml @@ -146,6 +146,141 @@ pod: # this should be set to no more than (pod.replicas.osapi - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + nova_compute_ironic: + nova_compute_ironic: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_api_osapi: + nova_api_osapi: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_conductor: + nova_conductor: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_scheduler: + nova_scheduler: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_db_sync: + nova_db_sync: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn manifests: job_db_init: false diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml index c48864121..4885b642d 100644 --- a/components/openstack-secrets.tpl.yaml +++ b/components/openstack-secrets.tpl.yaml @@ -40,43 +40,6 @@ endpoints: # this is used for encrypting / protecting the memcache tokens memcache_secret_key: "${MEMCACHE_SECRET_KEY}" - # 'oslo_db' is for MariaDB - oslo_db: - auth: - # this is what the keystone service uses to connect to MariaDB - keystone: - password: "${KEYSTONE_DB_PASSWORD}" - # this is what the glance service uses to connect to MariaDB - glance: - password: "${GLANCE_DB_PASSWORD}" - # this is what the ironic service uses to connect to MariaDB - ironic: - password: "${IRONIC_DB_PASSWORD}" - # this is what the neutron service uses to connect to MariaDB - neutron: - password: "${NEUTRON_DB_PASSWORD}" - # this is what the nova service uses to connect to MariaDB - nova: - password: "${NOVA_DB_PASSWORD}" - # this is what the placement service uses to connect to MariaDB - placement: - password: "${PLACEMENT_DB_PASSWORD}" - # this is what the horizon dashboard service uses to connect to MariaDB - horizon: - password: "${HORIZON_DB_PASSWORD}" - - # 'oslo_db_api' is for MariaDB specific for nova - oslo_db_api: - auth: - nova: - password: "${NOVA_DB_PASSWORD}" - - # 'oslo_db_cell0' is for MariaDB specific for nova - oslo_db_cell0: - auth: - nova: - password: "${NOVA_DB_PASSWORD}" - # 'oslo_messaging' is for RabbitMQ oslo_messaging: auth: diff --git a/components/placement/placement-mariadb-db.yaml b/components/placement/placement-mariadb-db.yaml index 4a5020bb7..47a944868 100644 --- a/components/placement/placement-mariadb-db.yaml +++ b/components/placement/placement-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: placement-db-conn +spec: + mariaDbRef: + name: mariadb + username: placement + passwordSecretKeyRef: + name: placement-db-password + key: password + database: placement + secretName: placement-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/placement/values.yaml b/components/placement/values.yaml index 756c2b507..6c3e57ebf 100644 --- a/components/placement/values.yaml +++ b/components/placement/values.yaml @@ -30,6 +30,38 @@ pod: # this should be set to no more than (pod.replicas.api - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + placement: + placement: + volumeMounts: + - mountPath: /etc/placement/placement.conf.d/db_conn.conf + name: placement-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: placement-db-conn + secret: + secretName: placement-db-conn + placement_db_sync: + placement_db_sync: + volumeMounts: + - mountPath: /etc/placement/placement.conf.d/db_conn.conf + name: placement-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: placement-db-conn + secret: + secretName: placement-db-conn manifests: job_db_init: false diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh index 4ac6ed905..693b8516a 100755 --- a/scripts/gitops-secrets-gen.sh +++ b/scripts/gitops-secrets-gen.sh @@ -320,26 +320,23 @@ for component in keystone ironic placement neutron nova glance; do # environment variable names VARNAME_RABBITMQ_PASSWORD="$(convert_to_var_name "${component}" "RABBITMQ_PASSWORD")" - VARNAME_DB_PASSWORD="$(convert_to_var_name "${component}" "DB_PASSWORD")" VARNAME_KEYSTONE_PASSWORD="$(convert_to_var_name "${keystone_user}" "KEYSTONE_PASSWORD")" # k8s secret names SECRET_RABBITMQ_PASSWORD="$(convert_to_secret_name "${VARNAME_RABBITMQ_PASSWORD}")" - SECRET_DB_PASSWORD="$(convert_to_secret_name "${VARNAME_DB_PASSWORD}")" SECRET_KEYSTONE_PASSWORD="$(convert_to_secret_name "${VARNAME_KEYSTONE_PASSWORD}")" # attempt to load the existing secrets from the cluster and use those # otherwise generate the passwords and set the variable names load_or_gen_os_secret "${VARNAME_RABBITMQ_PASSWORD}" "${SECRET_RABBITMQ_PASSWORD}" && \ create_os_secret "RABBITMQ_PASSWORD" "${component}" "${component}" - load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \ + [ ! -f "${DEST_DIR}/${component}/secret-db-password.yaml" ] && \ create_os_secret "DB_PASSWORD" "${component}" "${component}" load_or_gen_os_secret "${VARNAME_KEYSTONE_PASSWORD}" "${SECRET_KEYSTONE_PASSWORD}" && \ create_os_secret "KEYSTONE_PASSWORD" "${component}" "${keystone_user}" # export the variables for templating the openstack secret export "${VARNAME_RABBITMQ_PASSWORD?}" - export "${VARNAME_DB_PASSWORD?}" export "${VARNAME_KEYSTONE_PASSWORD?}" done @@ -348,12 +345,8 @@ echo "Checking horizon" # horizon credentials mkdir -p "${DEST_DIR}/horizon" # horizon user password for database -VARNAME_DB_PASSWORD="HORIZON_DB_PASSWORD" -SECRET_DB_PASSWORD="horizon-db-password" -load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \ +[ ! -f "${DEST_DIR}/horizon/secret-db-password.yaml" ] && \ create_os_secret "DB_PASSWORD" "horizon" "horizon" -# export the variable for templating into the openstack secret / values.yaml -export HORIZON_DB_PASSWORD # generate the secret-openstack.yaml file every time from our secrets data # this is a helm values.yaml but it contains secrets because of the lack