Provide contrail admin password as Kubernetes secret

Modify all Helm charts in order to consume KEYSTONE_AUTH_ADMIN_PASSWORD
as a Secret rather than a ConfigMap value.

Change-Id: I936d6a43b091d8f64724fbfc12e8d61b5dae5d41
Closes-Bug: #1782730

contrail-analytics/templates/configmap-env.yaml

@@ -23,7 +23,6 @@ metadata:
 data:
   KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }}
   KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }}
-  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }}
   KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }}
   KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }}
   KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }}

contrail-analytics/templates/daemonset-analytics.yaml

@@ -62,6 +62,12 @@ spec:
             name: contrail-analytics-env
         - configMapRef:
             name: contrail-analytics-keystone
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -79,6 +85,12 @@ spec:
             name: contrail-analytics-keystone
         - configMapRef:
             name: contrail-analytics-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -94,6 +106,12 @@ spec:
             name: contrail-analytics-keystone
         - configMapRef:
             name: contrail-analytics-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -107,6 +125,12 @@ spec:
             name: contrail-analytics-env
         - configMapRef:
             name: contrail-analytics-keystone
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -155,6 +179,11 @@ spec:
           value: analytics
         - name: DOCKER_HOST
           value: "unix://mnt/docker.sock"
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log

contrail-analytics/templates/secret-keystone-admin.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_analytics_keystone_admin }}
+{{- $envAll := . }}
+{{- $secretName := $envAll.Values.secrets.keystone.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }}
+{{- end }}

contrail-analytics/values.yaml

@@ -36,6 +36,11 @@ dependencies:
     - contrail-analyticsdb
     - contrail-config
 
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  keystone:
+    admin: contrail-analytics-keystone-admin
+
 # typically overriden by environmental
 # values, but should include all endpoints
 # required by this chart
@@ -105,3 +110,4 @@ manifests:
   service_analytics_api_server: true
   service_analytics_api_ingress: true
   ingress_analytics_api: true
+  secret_analytics_keystone_admin: true

contrail-controller/templates/configmap-env.yaml

@@ -64,7 +64,6 @@ metadata:
 data:
   KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }}
   KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }}
-  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }}
   KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }}
   KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }}
   KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }}

contrail-controller/templates/daemonset-config.yaml

@@ -64,6 +64,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -81,6 +87,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -96,6 +108,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -111,6 +129,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -133,6 +157,11 @@ spec:
           value: {{ .Values.global.contrail_env.CONFIGDB_CQL_PORT | default 9041 | quote }}
         - name: CASSANDRA_JMX_LOCAL_PORT
           value: {{ .Values.global.contrail_env.CONFIGDB_JMX_LOCAL_PORT | default 7200 | quote }}
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /mnt/docker.sock
           name: docker-unix-socket

contrail-controller/templates/daemonset-control-only.yaml

@@ -61,6 +61,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log

contrail-controller/templates/daemonset-control.yaml

@@ -60,6 +60,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -77,6 +83,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -96,6 +108,12 @@ spec:
             name: contrail-controller-keystone
         - configMapRef:
             name: contrail-controller-rabbitmq
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -116,6 +134,11 @@ spec:
           value: control
         - name: DOCKER_HOST
           value: "unix://mnt/docker.sock"
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /mnt/docker.sock
           name: docker-unix-socket

contrail-controller/templates/daemonset-webui.yaml

@@ -62,6 +62,12 @@ spec:
             name: contrail-controller-env
         - configMapRef:
             name: contrail-controller-keystone
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log
@@ -82,6 +88,12 @@ spec:
             name: contrail-controller-env
         - configMapRef:
             name: contrail-controller-keystone
+        env:
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /var/log/contrail/
           name: contrail-log

contrail-controller/templates/secret-keystone-admin.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_controller_keystone_admin }}
+{{- $envAll := . }}
+{{- $secretName := $envAll.Values.secrets.keystone.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }}
+{{- end }}

contrail-controller/values.yaml

@@ -53,6 +53,10 @@ dependencies:
     - contrail-config
     - contrail-redis
 
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  keystone:
+    admin: contrail-controller-keystone-admin
 
 # typically overriden by environmental
 # values, but should include all endpoints
@@ -222,3 +226,4 @@ manifests:
   service_webui_ingress: true
   ingress_webui: true
   ingress_config_api: true
+  secret_controller_keystone_admin: true

contrail-thirdparty/templates/configmap-env.yaml

@@ -48,7 +48,6 @@ metadata:
 data:
   KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }}
   KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }}
-  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }}
   KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }}
   KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }}
   KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }}

contrail-thirdparty/templates/daemonset-analyticsdb-nodemgr.yaml

@@ -66,6 +66,11 @@ spec:
           value: {{ .Values.global.contrail_env.ANALYTICSDB_CQL_PORT | default 9042 | quote }}
         - name: CASSANDRA_JMX_LOCAL_PORT
           value: {{ .Values.global.contrail_env.ANALYTICSDB_JMX_LOCAL_PORT | default 7100 | quote }}
+        - name: KEYSTONE_AUTH_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secrets.keystone.admin }}
+              key: KEYSTONE_AUTH_ADMIN_PASSWORD
         volumeMounts:
         - mountPath: /mnt/docker.sock
           name: docker-unix-socket

contrail-thirdparty/templates/secret-keystone-admin.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_thirdparty_keystone_admin }}
+{{- $envAll := . }}
+{{- $secretName := $envAll.Values.secrets.keystone.admin }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password | b64enc }}
+{{- end }}

contrail-thirdparty/values.yaml

@@ -66,6 +66,11 @@ dependencies:
     daemonset:
     - contrail-configdb
 
+# Names of secrets used by bootstrap and environmental checks
+secrets:
+  keystone:
+    admin: contrail-thirdparty-keystone-admin
+
 endpoints:
   cluster_domain_suffix: cluster.local
   keystone:
@@ -143,3 +148,4 @@ manifests:
   daemonset_kafka: true
   daemonset_analyticsdb_nodemgr: true
   daemonset_configdb_nodemgr: true
+  secret_thirdparty_keystone_admin: true

contrail-vrouter/templates/configmap-env.yaml

@@ -70,7 +70,6 @@ metadata:
 data:
   KEYSTONE_AUTH_ADMIN_USER: {{ .Values.endpoints.keystone.auth.username }}
   KEYSTONE_AUTH_ADMIN_TENANT: {{ .Values.endpoints.keystone.auth.project_name }}
-  KEYSTONE_AUTH_ADMIN_PASSWORD: {{ .Values.endpoints.keystone.auth.password }}
   KEYSTONE_AUTH_USER_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.user_domain_name }}
   KEYSTONE_AUTH_PROJECT_DOMAIN_NAME: {{ .Values.endpoints.keystone.auth.project_domain_name }}
   KEYSTONE_AUTH_URL_VERSION: {{ .Values.endpoints.keystone.path.default }}