From 7c759de3d0c02cb41622ebf31ba2f150b7ecc7c3 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Wed, 12 Feb 2025 16:22:21 -0600 Subject: [PATCH 1/2] feat: use mariadb operator for OpenStack db secrets Generate and inject the database connection info via a secret generated by the MariaDB operator to create a connection string that matches what oslo.config reads. Unfortunately OpenStack Helm doesn't always respect the mount for the db_sync job so this won't work until that's fixed upstream and we bump to releases with those fixes for all the services. --- components/glance/glance-mariadb-db.yaml | 23 +++ components/glance/values.yaml | 32 +++++ components/horizon/horizon-mariadb-db.yaml | 23 +++ components/horizon/values.yaml | 32 +++++ components/ironic/ironic-mariadb-db.yaml | 23 +++ components/ironic/values.yaml | 38 +++++ components/keystone/keystone-mariadb-db.yaml | 23 +++ components/keystone/values.yaml | 84 +++++++++++ components/neutron/neutron-mariadb-db.yaml | 23 +++ components/neutron/values.yaml | 48 +++++-- components/nova/nova-api-mariadb-db.yaml | 23 +++ components/nova/nova-cell0-mariadb-db.yaml | 23 +++ components/nova/nova-mariadb-db.yaml | 23 +++ components/nova/values.yaml | 135 ++++++++++++++++++ .../placement/placement-mariadb-db.yaml | 23 +++ components/placement/values.yaml | 32 +++++ 16 files changed, 599 insertions(+), 9 deletions(-) diff --git a/components/glance/glance-mariadb-db.yaml b/components/glance/glance-mariadb-db.yaml index 81ec18d06..17607126e 100644 --- a/components/glance/glance-mariadb-db.yaml +++ b/components/glance/glance-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: glance-db-conn +spec: + mariaDbRef: + name: mariadb + username: glance + passwordSecretKeyRef: + name: glance-db-password + key: password + database: glance + secretName: glance-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/glance/values.yaml b/components/glance/values.yaml index 27f9b4b11..a6903dcdb 100644 --- a/components/glance/values.yaml +++ b/components/glance/values.yaml @@ -89,6 +89,38 @@ pod: periodSeconds: 10 timeoutSeconds: 8 failureThreshold: 6 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + glance_api: + glance_api: + volumeMounts: + - mountPath: /etc/glance/glance.conf.d/db_conn.conf + name: glance-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: glance-db-conn + secret: + secretName: glance-db-conn + glance_db_sync: + glance_db_sync: + volumeMounts: + - mountPath: /etc/glance/glance.conf.d/db_conn.conf + name: glance-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: glance-db-conn + secret: + secretName: glance-db-conn conf: glance_api_uwsgi: diff --git a/components/horizon/horizon-mariadb-db.yaml b/components/horizon/horizon-mariadb-db.yaml index 0301c3717..c7f8ad13b 100644 --- a/components/horizon/horizon-mariadb-db.yaml +++ b/components/horizon/horizon-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: horizon-db-conn +spec: + mariaDbRef: + name: mariadb + username: horizon + passwordSecretKeyRef: + name: horizon-db-password + key: password + database: horizon + secretName: horizon-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/horizon/values.yaml b/components/horizon/values.yaml index b85000b76..97a29beed 100644 --- a/components/horizon/values.yaml +++ b/components/horizon/values.yaml @@ -76,6 +76,38 @@ pod: # this should be set to no more than (pod.replicas.horizon - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + horizon: + horizon: + volumeMounts: + - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf + name: horizon-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: horizon-db-conn + secret: + secretName: horizon-db-conn + horizon_db_sync: + horizon_db_sync: + volumeMounts: + - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf + name: horizon-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: horizon-db-conn + secret: + secretName: horizon-db-conn # We don't want to enable OpenStack Helm's # helm.sh/hooks because they set them as diff --git a/components/ironic/ironic-mariadb-db.yaml b/components/ironic/ironic-mariadb-db.yaml index 00826af14..b9708ca91 100644 --- a/components/ironic/ironic-mariadb-db.yaml +++ b/components/ironic/ironic-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: ironic-db-conn +spec: + mariaDbRef: + name: mariadb + username: ironic + passwordSecretKeyRef: + name: ironic-db-password + key: password + database: ironic + secretName: ironic-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/ironic/values.yaml b/components/ironic/values.yaml index f0fd123e7..f475069b9 100644 --- a/components/ironic/values.yaml +++ b/components/ironic/values.yaml @@ -169,9 +169,44 @@ manifests: pod: mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + ironic_api: + ironic_api: + volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn + ironic_db_sync: + ironic_db_sync: + volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn ironic_conductor: ironic_conductor: volumeMounts: + - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf + name: ironic-db-conn + subPath: db_conf.conf + readOnly: true - name: dnsmasq-ironic mountPath: /etc/dnsmasq.d/ - name: dnsmasq-dhcp @@ -179,6 +214,9 @@ pod: - name: understack-data mountPath: /var/lib/understack volumes: + - name: ironic-db-conn + secret: + secretName: ironic-db-conn - name: dnsmasq-ironic persistentVolumeClaim: claimName: dnsmasq-ironic diff --git a/components/keystone/keystone-mariadb-db.yaml b/components/keystone/keystone-mariadb-db.yaml index f044959c1..c7242a50e 100644 --- a/components/keystone/keystone-mariadb-db.yaml +++ b/components/keystone/keystone-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: keystone-db-conn +spec: + mariaDbRef: + name: mariadb + username: keystone + passwordSecretKeyRef: + name: keystone-db-password + key: password + database: keystone + secretName: keystone-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml index 9c28a2383..e4204da45 100644 --- a/components/keystone/values.yaml +++ b/components/keystone/values.yaml @@ -225,6 +225,10 @@ pod: keystone_api: keystone_api: volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true - name: keystone-sso mountPath: /etc/keystone-sso readOnly: true @@ -232,12 +236,92 @@ pod: mountPath: /etc/oidc-secret readOnly: true volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn - name: keystone-sso secret: secretName: keystone-sso - name: oidc-secret secret: secretName: sso-passphrase + keystone_db_sync: + keystone_db_sync: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_setup: + keystone_credential_setup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_fernet_setup: + keystone_fernet_setup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_rotate: + keystone_credential_rotate: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_fernet_rotate: + keystone_fernet_rotate: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_credential_cleanup: + keystone_credential_cleanup: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn + keystone_domain_manage: + keystone_domain_manage: + volumeMounts: + - mountPath: /etc/keystone/keystone.conf.d/db_conn.conf + name: keystone-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: keystone-db-conn + secret: + secretName: keystone-db-conn replicas: api: 2 lifecycle: diff --git a/components/neutron/neutron-mariadb-db.yaml b/components/neutron/neutron-mariadb-db.yaml index ac07b24fc..54a79e5a4 100644 --- a/components/neutron/neutron-mariadb-db.yaml +++ b/components/neutron/neutron-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: neutron-db-conn +spec: + mariaDbRef: + name: mariadb + username: neutron + passwordSecretKeyRef: + name: neutron-db-password + key: password + database: neutron + secretName: neutron-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/neutron/values.yaml b/components/neutron/values.yaml index 1ac0bb9f6..ba2dbb37e 100644 --- a/components/neutron/values.yaml +++ b/components/neutron/values.yaml @@ -92,18 +92,22 @@ pod: # usually set on per-deployment basis. min_available: 0 mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one neutron_server: neutron_server: volumeMounts: - # oslo.config autoloads certain paths in alphabetical order - # which gives us the opportunity to inject secrets and extra - # configs here. likely the best paths are: - # /etc/${project}/${prog}.conf.d/*.conf - # /etc/${project}/${project}.conf.d/*.conf - # the first would be best for per service separation but since each - # service is in its own pod they won't overlap. further more there - # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 - # so we'll use the bottom one + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true - mountPath: /etc/neutron/neutron.conf.d/ml2_understack.conf name: neutron-nautobot subPath: ml2_understack.conf @@ -112,12 +116,38 @@ pod: name: undersync-token readOnly: true volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn - name: neutron-nautobot secret: secretName: neutron-nautobot - name: undersync-token secret: secretName: undersync-token + neutron_ironic_agent: + neutron_ironic_agent: + volumeMounts: + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn + neutron_db_sync: + neutron_db_sync: + volumeMounts: + - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf + name: neutron-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: neutron-db-conn + secret: + secretName: neutron-db-conn + # (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job. dependencies: dynamic: diff --git a/components/nova/nova-api-mariadb-db.yaml b/components/nova/nova-api-mariadb-db.yaml index 237d263c4..f86251f29 100644 --- a/components/nova/nova-api-mariadb-db.yaml +++ b/components/nova/nova-api-mariadb-db.yaml @@ -30,3 +30,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-api-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova_api + secretName: nova-api-db-conn + secretTemplate: + key: db_conn.conf + format: | + [api_database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/nova-cell0-mariadb-db.yaml b/components/nova/nova-cell0-mariadb-db.yaml index fa4ce3f78..7747ab8d3 100644 --- a/components/nova/nova-cell0-mariadb-db.yaml +++ b/components/nova/nova-cell0-mariadb-db.yaml @@ -30,3 +30,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-cell0-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova_cell0 + secretName: nova-cell0-db-conn + secretTemplate: + key: db_conn.conf + format: | + [cell0_database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/nova-mariadb-db.yaml b/components/nova/nova-mariadb-db.yaml index 845c0f8ec..17e0435fd 100644 --- a/components/nova/nova-mariadb-db.yaml +++ b/components/nova/nova-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: nova-db-conn +spec: + mariaDbRef: + name: mariadb + username: nova + passwordSecretKeyRef: + name: nova-db-password + key: password + database: nova + secretName: nova-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/nova/values.yaml b/components/nova/values.yaml index 723f29036..7b7f40ed5 100644 --- a/components/nova/values.yaml +++ b/components/nova/values.yaml @@ -146,6 +146,141 @@ pod: # this should be set to no more than (pod.replicas.osapi - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + nova_compute_ironic: + nova_compute_ironic: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_api_osapi: + nova_api_osapi: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_conductor: + nova_conductor: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_scheduler: + nova_scheduler: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn + nova_db_sync: + nova_db_sync: + volumeMounts: + - mountPath: /etc/nova/nova.conf.d/db_conn.conf + name: nova-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/api_db_conn.conf + name: nova-api-db-conn + subPath: db_conf.conf + readOnly: true + - mountPath: /etc/nova/nova.conf.d/cell0_db_conn.conf + name: nova-cell0-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: nova-db-conn + secret: + secretName: nova-db-conn + - name: nova-api-db-conn + secret: + secretName: nova-api-db-conn + - name: nova-cell0-db-conn + secret: + secretName: nova-cell0-db-conn manifests: job_db_init: false diff --git a/components/placement/placement-mariadb-db.yaml b/components/placement/placement-mariadb-db.yaml index 4a5020bb7..47a944868 100644 --- a/components/placement/placement-mariadb-db.yaml +++ b/components/placement/placement-mariadb-db.yaml @@ -50,3 +50,26 @@ spec: grantOption: true host: "%" retryInterval: 5s +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Connection +metadata: + name: placement-db-conn +spec: + mariaDbRef: + name: mariadb + username: placement + passwordSecretKeyRef: + name: placement-db-password + key: password + database: placement + secretName: placement-db-conn + secretTemplate: + key: db_conn.conf + format: | + [database] + connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }} + healthCheck: + interval: 30s + retryInterval: 3s + serviceName: mariadb diff --git a/components/placement/values.yaml b/components/placement/values.yaml index 756c2b507..6c3e57ebf 100644 --- a/components/placement/values.yaml +++ b/components/placement/values.yaml @@ -30,6 +30,38 @@ pod: # this should be set to no more than (pod.replicas.api - 1) # usually set on per-deployment basis. min_available: 0 + mounts: + # oslo.config autoloads certain paths in alphabetical order + # which gives us the opportunity to inject secrets and extra + # configs here. likely the best paths are: + # /etc/${project}/${prog}.conf.d/*.conf + # /etc/${project}/${project}.conf.d/*.conf + # the first would be best for per service separation but since each + # service is in its own pod they won't overlap. further more there + # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514 + # so we'll use the bottom one + placement: + placement: + volumeMounts: + - mountPath: /etc/placement/placement.conf.d/db_conn.conf + name: placement-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: placement-db-conn + secret: + secretName: placement-db-conn + placement_db_sync: + placement_db_sync: + volumeMounts: + - mountPath: /etc/placement/placement.conf.d/db_conn.conf + name: placement-db-conn + subPath: db_conf.conf + readOnly: true + volumes: + - name: placement-db-conn + secret: + secretName: placement-db-conn manifests: job_db_init: false From 641b51c918b04237945b1b1d02f373f68b48da7f Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Tue, 18 Feb 2025 10:34:55 -0600 Subject: [PATCH 2/2] feat: remove OpenStack DB secrets Since we're now using the MariaDB operator to generate the DB connection, we don't need to have this generated by OpenStack Helm. So that means we don't need to inject the passwords in via plain text since OpenStack Helm does not support passing secrets by reference. Instead we are using the db connection snippet of the prior commit. Keystone and Placement currently do not support mounting the DB connection snippet for the db_sync job currently so we must wait until that is fixed upstream and we bump to a new enough version. Placement fix: https://review.opendev.org/c/openstack/openstack-helm/+/942131 --- components/openstack-secrets.tpl.yaml | 37 --------------------------- scripts/gitops-secrets-gen.sh | 11 ++------ 2 files changed, 2 insertions(+), 46 deletions(-) diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml index c48864121..4885b642d 100644 --- a/components/openstack-secrets.tpl.yaml +++ b/components/openstack-secrets.tpl.yaml @@ -40,43 +40,6 @@ endpoints: # this is used for encrypting / protecting the memcache tokens memcache_secret_key: "${MEMCACHE_SECRET_KEY}" - # 'oslo_db' is for MariaDB - oslo_db: - auth: - # this is what the keystone service uses to connect to MariaDB - keystone: - password: "${KEYSTONE_DB_PASSWORD}" - # this is what the glance service uses to connect to MariaDB - glance: - password: "${GLANCE_DB_PASSWORD}" - # this is what the ironic service uses to connect to MariaDB - ironic: - password: "${IRONIC_DB_PASSWORD}" - # this is what the neutron service uses to connect to MariaDB - neutron: - password: "${NEUTRON_DB_PASSWORD}" - # this is what the nova service uses to connect to MariaDB - nova: - password: "${NOVA_DB_PASSWORD}" - # this is what the placement service uses to connect to MariaDB - placement: - password: "${PLACEMENT_DB_PASSWORD}" - # this is what the horizon dashboard service uses to connect to MariaDB - horizon: - password: "${HORIZON_DB_PASSWORD}" - - # 'oslo_db_api' is for MariaDB specific for nova - oslo_db_api: - auth: - nova: - password: "${NOVA_DB_PASSWORD}" - - # 'oslo_db_cell0' is for MariaDB specific for nova - oslo_db_cell0: - auth: - nova: - password: "${NOVA_DB_PASSWORD}" - # 'oslo_messaging' is for RabbitMQ oslo_messaging: auth: diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh index 4ac6ed905..693b8516a 100755 --- a/scripts/gitops-secrets-gen.sh +++ b/scripts/gitops-secrets-gen.sh @@ -320,26 +320,23 @@ for component in keystone ironic placement neutron nova glance; do # environment variable names VARNAME_RABBITMQ_PASSWORD="$(convert_to_var_name "${component}" "RABBITMQ_PASSWORD")" - VARNAME_DB_PASSWORD="$(convert_to_var_name "${component}" "DB_PASSWORD")" VARNAME_KEYSTONE_PASSWORD="$(convert_to_var_name "${keystone_user}" "KEYSTONE_PASSWORD")" # k8s secret names SECRET_RABBITMQ_PASSWORD="$(convert_to_secret_name "${VARNAME_RABBITMQ_PASSWORD}")" - SECRET_DB_PASSWORD="$(convert_to_secret_name "${VARNAME_DB_PASSWORD}")" SECRET_KEYSTONE_PASSWORD="$(convert_to_secret_name "${VARNAME_KEYSTONE_PASSWORD}")" # attempt to load the existing secrets from the cluster and use those # otherwise generate the passwords and set the variable names load_or_gen_os_secret "${VARNAME_RABBITMQ_PASSWORD}" "${SECRET_RABBITMQ_PASSWORD}" && \ create_os_secret "RABBITMQ_PASSWORD" "${component}" "${component}" - load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \ + [ ! -f "${DEST_DIR}/${component}/secret-db-password.yaml" ] && \ create_os_secret "DB_PASSWORD" "${component}" "${component}" load_or_gen_os_secret "${VARNAME_KEYSTONE_PASSWORD}" "${SECRET_KEYSTONE_PASSWORD}" && \ create_os_secret "KEYSTONE_PASSWORD" "${component}" "${keystone_user}" # export the variables for templating the openstack secret export "${VARNAME_RABBITMQ_PASSWORD?}" - export "${VARNAME_DB_PASSWORD?}" export "${VARNAME_KEYSTONE_PASSWORD?}" done @@ -348,12 +345,8 @@ echo "Checking horizon" # horizon credentials mkdir -p "${DEST_DIR}/horizon" # horizon user password for database -VARNAME_DB_PASSWORD="HORIZON_DB_PASSWORD" -SECRET_DB_PASSWORD="horizon-db-password" -load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \ +[ ! -f "${DEST_DIR}/horizon/secret-db-password.yaml" ] && \ create_os_secret "DB_PASSWORD" "horizon" "horizon" -# export the variable for templating into the openstack secret / values.yaml -export HORIZON_DB_PASSWORD # generate the secret-openstack.yaml file every time from our secrets data # this is a helm values.yaml but it contains secrets because of the lack