From 05b72833783b275f5fa93e8640163ad9f6a4a7f9 Mon Sep 17 00:00:00 2001 From: Ignacio Dominguez Martinez-Casanueva Date: Mon, 23 Jul 2018 11:42:30 +0200 Subject: [PATCH] Provide contrail admin password as Kubernetes secret Modify all Helm charts in order to consume KEYSTONE_AUTH_ADMIN_PASSWORD as a Secret rather than a ConfigMap value. Change-Id: I936d6a43b091d8f64724fbfc12e8d61b5dae5d41 Closes-Bug: #1782730 (cherry picked from commit f0e33bd1c66fdfb15d1e0c57d6c0daeb55d0935b) --- .../templates/configmap-env.yaml | 1 - .../templates/daemonset-analytics.yaml | 29 ++++++++++++++ .../templates/secret-keystone-admin.yaml | 28 +++++++++++++ contrail-analytics/values.yaml | 6 +++ .../templates/configmap-env.yaml | 1 - .../templates/daemonset-config.yaml | 29 ++++++++++++++ .../templates/daemonset-control-only.yaml | 6 +++ .../templates/daemonset-control.yaml | 23 +++++++++++ .../templates/daemonset-webui.yaml | 12 ++++++ .../templates/secret-keystone-admin.yaml | 28 +++++++++++++ contrail-controller/values.yaml | 5 +++ .../templates/configmap-env.yaml | 1 - .../daemonset-analyticsdb-nodemgr.yaml | 5 +++ .../templates/secret-keystone-admin.yaml | 28 +++++++++++++ contrail-thirdparty/values.yaml | 6 +++ contrail-vrouter/templates/configmap-env.yaml | 1 - .../daemonset-vrouter-agent-dpdk.yaml | 23 +++++++++++ .../daemonset-vrouter-agent-kernel.yaml | 23 +++++++++++ .../daemonset-vrouter-agent-sriov.yaml | 39 ++++++++++++++++++- .../templates/secret-keystone-admin.yaml | 28 +++++++++++++ contrail-vrouter/values.yaml | 6 +++ 21 files changed, 322 insertions(+), 6 deletions(-) create mode 100644 contrail-analytics/templates/secret-keystone-admin.yaml create mode 100644 contrail-controller/templates/secret-keystone-admin.yaml create mode 100644 contrail-thirdparty/templates/secret-keystone-admin.yaml create mode 100644 contrail-vrouter/templates/secret-keystone-admin.yaml diff --git a/contrail-analytics/templates/configmap-env.yaml b/contrail-analytics/templates/configmap-env.yaml index cf90939..6e6ff47 100644 --- a/contrail-analytics/templates/configmap-env.yaml +++ b/contrail-analytics/templates/configmap-env.yaml @@ -23,7 +23,6 @@ metadata: data: KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }} KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }} - KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }} KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }} KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }} KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }} diff --git a/contrail-analytics/templates/daemonset-analytics.yaml b/contrail-analytics/templates/daemonset-analytics.yaml index 719604e..7133ab2 100644 --- a/contrail-analytics/templates/daemonset-analytics.yaml +++ b/contrail-analytics/templates/daemonset-analytics.yaml @@ -62,6 +62,12 @@ spec: name: contrail-analytics-env - configMapRef: name: contrail-analytics-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -79,6 +85,12 @@ spec: name: contrail-analytics-keystone - configMapRef: name: contrail-analytics-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -94,6 +106,12 @@ spec: name: contrail-analytics-keystone - configMapRef: name: contrail-analytics-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -107,6 +125,12 @@ spec: name: contrail-analytics-env - configMapRef: name: contrail-analytics-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -155,6 +179,11 @@ spec: value: analytics - name: DOCKER_HOST value: "unix://mnt/docker.sock" + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log diff --git a/contrail-analytics/templates/secret-keystone-admin.yaml b/contrail-analytics/templates/secret-keystone-admin.yaml new file mode 100644 index 0000000..9c27411 --- /dev/null +++ b/contrail-analytics/templates/secret-keystone-admin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_analytics_keystone_admin }} +{{- $envAll := . }} +{{- $secretName := $envAll.Values.secrets.keystone.admin }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }} +{{- end }} diff --git a/contrail-analytics/values.yaml b/contrail-analytics/values.yaml index 2e13878..5a8d3ec 100644 --- a/contrail-analytics/values.yaml +++ b/contrail-analytics/values.yaml @@ -36,6 +36,11 @@ dependencies: - contrail-analyticsdb - contrail-config +# Names of secrets used by bootstrap and environmental checks +secrets: + keystone: + admin: contrail-analytics-keystone-admin + # typically overriden by environmental # values, but should include all endpoints # required by this chart @@ -105,3 +110,4 @@ manifests: service_analytics_api_server: true service_analytics_api_ingress: true ingress_analytics_api: true + secret_analytics_keystone_admin: true diff --git a/contrail-controller/templates/configmap-env.yaml b/contrail-controller/templates/configmap-env.yaml index e1b4576..4809b60 100644 --- a/contrail-controller/templates/configmap-env.yaml +++ b/contrail-controller/templates/configmap-env.yaml @@ -64,7 +64,6 @@ metadata: data: KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }} KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }} - KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }} KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }} KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }} KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }} diff --git a/contrail-controller/templates/daemonset-config.yaml b/contrail-controller/templates/daemonset-config.yaml index 05f3fc8..63c7371 100644 --- a/contrail-controller/templates/daemonset-config.yaml +++ b/contrail-controller/templates/daemonset-config.yaml @@ -64,6 +64,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -81,6 +87,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -96,6 +108,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -111,6 +129,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -133,6 +157,11 @@ spec: value: {{ .Values.global.contrail_env.CONFIGDB_CQL_PORT | default 9041 | quote }} - name: CASSANDRA_JMX_LOCAL_PORT value: {{ .Values.global.contrail_env.CONFIGDB_JMX_LOCAL_PORT | default 7200 | quote }} + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-controller/templates/daemonset-control-only.yaml b/contrail-controller/templates/daemonset-control-only.yaml index 9935136..f6e8b8d 100644 --- a/contrail-controller/templates/daemonset-control-only.yaml +++ b/contrail-controller/templates/daemonset-control-only.yaml @@ -61,6 +61,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log diff --git a/contrail-controller/templates/daemonset-control.yaml b/contrail-controller/templates/daemonset-control.yaml index 7a7b14e..8a48c10 100644 --- a/contrail-controller/templates/daemonset-control.yaml +++ b/contrail-controller/templates/daemonset-control.yaml @@ -60,6 +60,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -77,6 +83,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -96,6 +108,12 @@ spec: name: contrail-controller-keystone - configMapRef: name: contrail-controller-rabbitmq + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -116,6 +134,11 @@ spec: value: control - name: DOCKER_HOST value: "unix://mnt/docker.sock" + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-controller/templates/daemonset-webui.yaml b/contrail-controller/templates/daemonset-webui.yaml index 47b6be8..7dc42e3 100644 --- a/contrail-controller/templates/daemonset-webui.yaml +++ b/contrail-controller/templates/daemonset-webui.yaml @@ -62,6 +62,12 @@ spec: name: contrail-controller-env - configMapRef: name: contrail-controller-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log @@ -82,6 +88,12 @@ spec: name: contrail-controller-env - configMapRef: name: contrail-controller-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/log/contrail/ name: contrail-log diff --git a/contrail-controller/templates/secret-keystone-admin.yaml b/contrail-controller/templates/secret-keystone-admin.yaml new file mode 100644 index 0000000..7bd534b --- /dev/null +++ b/contrail-controller/templates/secret-keystone-admin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_controller_keystone_admin }} +{{- $envAll := . }} +{{- $secretName := $envAll.Values.secrets.keystone.admin }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }} +{{- end }} diff --git a/contrail-controller/values.yaml b/contrail-controller/values.yaml index cc93271..9699c99 100644 --- a/contrail-controller/values.yaml +++ b/contrail-controller/values.yaml @@ -53,6 +53,10 @@ dependencies: - contrail-config - contrail-redis +# Names of secrets used by bootstrap and environmental checks +secrets: + keystone: + admin: contrail-controller-keystone-admin # typically overriden by environmental # values, but should include all endpoints @@ -222,3 +226,4 @@ manifests: service_webui_ingress: true ingress_webui: true ingress_config_api: true + secret_controller_keystone_admin: true diff --git a/contrail-thirdparty/templates/configmap-env.yaml b/contrail-thirdparty/templates/configmap-env.yaml index 0940c49..6f6157c 100644 --- a/contrail-thirdparty/templates/configmap-env.yaml +++ b/contrail-thirdparty/templates/configmap-env.yaml @@ -48,7 +48,6 @@ metadata: data: KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }} KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }} - KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }} KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }} KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }} KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }} diff --git a/contrail-thirdparty/templates/daemonset-analyticsdb-nodemgr.yaml b/contrail-thirdparty/templates/daemonset-analyticsdb-nodemgr.yaml index 70dc784..37ef1ee 100644 --- a/contrail-thirdparty/templates/daemonset-analyticsdb-nodemgr.yaml +++ b/contrail-thirdparty/templates/daemonset-analyticsdb-nodemgr.yaml @@ -66,6 +66,11 @@ spec: value: {{ .Values.global.contrail_env.ANALYTICSDB_CQL_PORT | default 9042 | quote }} - name: CASSANDRA_JMX_LOCAL_PORT value: {{ .Values.global.contrail_env.ANALYTICSDB_JMX_LOCAL_PORT | default 7100 | quote }} + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-thirdparty/templates/secret-keystone-admin.yaml b/contrail-thirdparty/templates/secret-keystone-admin.yaml new file mode 100644 index 0000000..b065b7c --- /dev/null +++ b/contrail-thirdparty/templates/secret-keystone-admin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_thirdparty_keystone_admin }} +{{- $envAll := . }} +{{- $secretName := $envAll.Values.secrets.keystone.admin }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }} +{{- end }} diff --git a/contrail-thirdparty/values.yaml b/contrail-thirdparty/values.yaml index 3ae234b..84d594f 100644 --- a/contrail-thirdparty/values.yaml +++ b/contrail-thirdparty/values.yaml @@ -66,6 +66,11 @@ dependencies: daemonset: - contrail-configdb +# Names of secrets used by bootstrap and environmental checks +secrets: + keystone: + admin: contrail-thirdparty-keystone-admin + endpoints: cluster_domain_suffix: cluster.local keystone: @@ -143,3 +148,4 @@ manifests: daemonset_kafka: true daemonset_analyticsdb_nodemgr: true daemonset_configdb_nodemgr: true + secret_thirdparty_keystone_admin: true diff --git a/contrail-vrouter/templates/configmap-env.yaml b/contrail-vrouter/templates/configmap-env.yaml index 7b8813a..ff3f61c 100644 --- a/contrail-vrouter/templates/configmap-env.yaml +++ b/contrail-vrouter/templates/configmap-env.yaml @@ -70,7 +70,6 @@ metadata: data: KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }} KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }} - KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }} KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }} KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }} KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }} diff --git a/contrail-vrouter/templates/daemonset-vrouter-agent-dpdk.yaml b/contrail-vrouter/templates/daemonset-vrouter-agent-dpdk.yaml index 80ce8a5..449a50d 100644 --- a/contrail-vrouter/templates/daemonset-vrouter-agent-dpdk.yaml +++ b/contrail-vrouter/templates/daemonset-vrouter-agent-dpdk.yaml @@ -62,6 +62,12 @@ spec: name: contrail-vrouter-dpdk - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -84,6 +90,12 @@ spec: name: contrail-vrouter-dpdk - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /etc/ name: mount-etc @@ -113,6 +125,12 @@ spec: name: contrail-vrouter-dpdk - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /var/lib/contrail/ name: var-lib-contrail @@ -145,6 +163,11 @@ spec: value: vrouter - name: DOCKER_HOST value: "unix://mnt/docker.sock" + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-vrouter/templates/daemonset-vrouter-agent-kernel.yaml b/contrail-vrouter/templates/daemonset-vrouter-agent-kernel.yaml index 5b5ecd4..2789468 100644 --- a/contrail-vrouter/templates/daemonset-vrouter-agent-kernel.yaml +++ b/contrail-vrouter/templates/daemonset-vrouter-agent-kernel.yaml @@ -64,6 +64,12 @@ spec: name: contrail-vrouter-kernel - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /usr/src name: usr-src @@ -82,6 +88,12 @@ spec: name: configmap-vrouter - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -101,6 +113,12 @@ spec: name: contrail-vrouter-kernel - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD lifecycle: preStop: exec: @@ -139,6 +157,11 @@ spec: value: vrouter - name: DOCKER_HOST value: "unix://mnt/docker.sock" + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-vrouter/templates/daemonset-vrouter-agent-sriov.yaml b/contrail-vrouter/templates/daemonset-vrouter-agent-sriov.yaml index 76444ab..faa02d3 100644 --- a/contrail-vrouter/templates/daemonset-vrouter-agent-sriov.yaml +++ b/contrail-vrouter/templates/daemonset-vrouter-agent-sriov.yaml @@ -75,6 +75,12 @@ spec: name: contrail-vrouter-kernel - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /usr/src name: usr-src @@ -93,6 +99,12 @@ spec: name: configmap-vrouter - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -101,7 +113,7 @@ spec: - mountPath: /host/bin name: host-bin {{- end }} -{{- else if and $agent_mode ( eq $agent_mode "dpdk" ) }} +{{- else if and $agent_mode ( eq $agent_mode "dpdk" ) }} - name: contrail-vrouter-init-dpdk image: {{ $context.Values.global.images.tags.vrouter_init_dpdk | quote }} imagePullPolicy: {{ default "" $context.Values.global.images.imagePullPolicy | quote }} @@ -112,6 +124,12 @@ spec: name: contrail-vrouter-dpdk - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -125,7 +143,7 @@ spec: name: hugepages {{- end }} containers: -{{- if and $agent_mode ( eq $agent_mode "dpdk" ) }} +{{- if and $agent_mode ( eq $agent_mode "dpdk" ) }} - name: contrail-vrouter-dpdk image: {{ $context.Values.global.images.tags.vrouter_dpdk | quote }} imagePullPolicy: {{ default "" $context.Values.global.images.imagePullPolicy | quote }} @@ -136,6 +154,12 @@ spec: name: contrail-vrouter-dpdk - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /etc/ name: mount-etc @@ -166,6 +190,12 @@ spec: name: {{ $config_map_name }} - configMapRef: name: contrail-vrouter-keystone + env: + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: {{- if eq $host_os "centos"}} - mountPath: /etc/sysconfig/network-scripts @@ -200,6 +230,11 @@ spec: value: vrouter - name: DOCKER_HOST value: "unix://mnt/docker.sock" + - name: KEYSTONE_AUTH_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.keystone.admin }} + key: KEYSTONE_AUTH_ADMIN_PASSWORD volumeMounts: - mountPath: /mnt/docker.sock name: docker-unix-socket diff --git a/contrail-vrouter/templates/secret-keystone-admin.yaml b/contrail-vrouter/templates/secret-keystone-admin.yaml new file mode 100644 index 0000000..25e0108 --- /dev/null +++ b/contrail-vrouter/templates/secret-keystone-admin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_vrouter_keystone_admin }} +{{- $envAll := . }} +{{- $secretName := $envAll.Values.secrets.keystone.admin }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }} +{{- end }} diff --git a/contrail-vrouter/values.yaml b/contrail-vrouter/values.yaml index b051b21..93fa7de 100644 --- a/contrail-vrouter/values.yaml +++ b/contrail-vrouter/values.yaml @@ -73,6 +73,11 @@ dependencies: - contrail-config - contrail-control +# Names of secrets used by bootstrap and environmental checks +secrets: + keystone: + admin: contrail-vrouter-keystone-admin + # typically overriden by environmental # values, but should include all endpoints # required by this chart @@ -127,3 +132,4 @@ manifests: daemonset_kernel: true daemonset_dpdk: false daemonset_vrouter_sriov: false + secret_vrouter_keystone_admin: true