From 0575e5da1a52f1cf0eadee1d3fd372c0d6d51f13 Mon Sep 17 00:00:00 2001 From: okozachenko Date: Thu, 8 Aug 2024 12:22:04 +1000 Subject: [PATCH] Use service tokens in ironic Change-Id: I738f605182cc7336ca2a363a51f8ae360536d5cc --- ironic/Chart.yaml | 2 +- ironic/templates/configmap-etc.yaml | 26 ++++++++++++++++++++++++++ ironic/values.yaml | 9 +++++++-- releasenotes/notes/ironic.yaml | 1 + 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/ironic/Chart.yaml b/ironic/Chart.yaml index 24b7c81f31..ab686d66ae 100644 --- a/ironic/Chart.yaml +++ b/ironic/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Ironic name: ironic -version: 0.2.17 +version: 0.2.18 home: https://docs.openstack.org/ironic/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Ironic/OpenStack_Project_Ironic_vertical.png sources: diff --git a/ironic/templates/configmap-etc.yaml b/ironic/templates/configmap-etc.yaml index 395a2a4c5a..8b253360cc 100644 --- a/ironic/templates/configmap-etc.yaml +++ b/ironic/templates/configmap-etc.yaml @@ -47,6 +47,32 @@ limitations under the License. {{- $_ := set .Values.conf.ironic.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} {{- end -}} +{{- if .Values.conf.ironic.service_user.send_service_user_token -}} + +{{- if empty .Values.conf.ironic.service_user.auth_url -}} +{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.ironic.service_user "auth_url" -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.region_name -}} +{{- $_ := set .Values.conf.ironic.service_user "region_name" .Values.endpoints.identity.auth.ironic.region_name -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.project_name -}} +{{- $_ := set .Values.conf.ironic.service_user "project_name" .Values.endpoints.identity.auth.ironic.project_name -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.project_domain_name -}} +{{- $_ := set .Values.conf.ironic.service_user "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.user_domain_name -}} +{{- $_ := set .Values.conf.ironic.service_user "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.username -}} +{{- $_ := set .Values.conf.ironic.service_user "username" .Values.endpoints.identity.auth.ironic.username -}} +{{- end -}} +{{- if empty .Values.conf.ironic.service_user.password -}} +{{- $_ := set .Values.conf.ironic.service_user "password" .Values.endpoints.identity.auth.ironic.password -}} +{{- end -}} + +{{- end -}} + {{- if empty .Values.conf.ironic.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "ironic" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ironic.database "connection" -}} {{- end -}} diff --git a/ironic/values.yaml b/ironic/values.yaml index 2e6e5ff0f2..a94bc3f23c 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -119,6 +119,8 @@ conf: inspector: auth_type: password keystone_authtoken: + service_token_roles: service + service_token_roles_required: true auth_type: password auth_version: v3 neutron: @@ -136,6 +138,9 @@ conf: ipxe_enabled: true service_catalog: auth_type: password + service_user: + auth_type: password + send_service_user_token: true swift: auth_url: null oslo_policy: @@ -471,7 +476,7 @@ endpoints: user_domain_name: default project_domain_name: default glance: - role: admin + role: admin,service region_name: RegionOne username: glance password: password @@ -479,7 +484,7 @@ endpoints: user_domain_name: service project_domain_name: service ironic: - role: admin + role: admin,service region_name: RegionOne username: ironic password: password diff --git a/releasenotes/notes/ironic.yaml b/releasenotes/notes/ironic.yaml index 4358279a30..8eec867ba8 100644 --- a/releasenotes/notes/ironic.yaml +++ b/releasenotes/notes/ironic.yaml @@ -21,4 +21,5 @@ ironic: - 0.2.15 Allow enabling/disabling of conductor http and pxe containers and overriding their init and runtime scripts - 0.2.16 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default - 0.2.17 Allow overriding of hostNetwork and hostIPC for Ironic conductor + - 0.2.18 Use service tokens ...