Keystone: break domain management out of generic bootstrap

This PS breaks domain management out of the generic bootstrap
job.

Change-Id: I9d26b58cffee0cd13f75113b2dbdf4eac16a6cf7
This commit is contained in:
portdirect 2018-02-17 14:55:13 -05:00 committed by Pete Birley
parent 96ca93521d
commit cf34a995ac
9 changed files with 200 additions and 19 deletions

View File

@ -17,8 +17,5 @@ limitations under the License.
*/}} */}}
set -ex set -ex
{{- range $k, $v := .Values.conf.ks_domains }}
openstack --debug domain create --or-show {{ $k }}
keystone-manage domain_config_upload --domain-name {{ $k }} || true
{{- end }}
{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }} {{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}

View File

@ -0,0 +1,22 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
{{- range $k, $v := .Values.conf.ks_domains }}
openstack --debug domain create --or-show {{ $k }}
{{- end }}

View File

@ -0,0 +1,22 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
{{- range $k, $v := .Values.conf.ks_domains }}
keystone-manage domain_config_upload --domain-name {{ $k }} || true
{{- end }}

View File

@ -41,4 +41,8 @@ data:
{{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
fernet-manage.py: | fernet-manage.py: |
{{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
domain-manage-init.sh: |
{{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
domain-manage.sh: |
{{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }} {{- end }}

View File

@ -43,7 +43,7 @@ spec:
{{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers: containers:
- name: keystone-bootstrap - name: keystone-bootstrap
image: {{ .Values.images.tags.keystone_bootstrap }} image: {{ .Values.images.tags.bootstrap }}
imagePullPolicy: {{ .Values.images.pull_policy }} imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:

View File

@ -0,0 +1,117 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_domain_manage }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.domain_manage }}
{{- $mounts_keystone_domain_manage := .Values.pod.mounts.keystone_domain_manage.keystone_domain_manage }}
{{- $mounts_keystone_domain_manage_init := .Values.pod.mounts.keystone_domain_manage.init_container }}
{{- $serviceAccountName := "keystone-domain-manage" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: keystone-domain-manage
spec:
template:
metadata:
labels:
{{ tuple $envAll "keystone" "domain-manage" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
initContainers:
{{ tuple $envAll $dependencies $mounts_keystone_domain_manage_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: keystone-domain-manage-init
image: {{ .Values.images.tags.bootstrap }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
- /tmp/domain-manage-init.sh
volumeMounts:
- name: keystone-bin
mountPath: /tmp/domain-manage-init.sh
subPath: domain-manage-init.sh
readOnly: true
containers:
- name: keystone-domain-manage
image: {{ .Values.images.tags.keystone_domain_manage }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
- /tmp/domain-manage.sh
volumeMounts:
- name: etckeystonedomains
mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
- name: etckeystone
mountPath: /etc/keystone
- name: keystone-bin
mountPath: /tmp/domain-manage.sh
subPath: domain-manage.sh
readOnly: true
- name: keystone-etc
mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf
readOnly: true
{{- range $k, $v := .Values.conf.ks_domains }}
- name: keystone-etc
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
subPath: keystone.{{ $k }}.conf
readOnly: true
{{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys
mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
{{- end }}
- name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: etckeystone
emptyDir: {}
- name: etckeystonedomains
emptyDir: {}
- name: keystone-etc
configMap:
name: keystone-etc
defaultMode: 0444
- name: keystone-bin
configMap:
name: keystone-bin
defaultMode: 0555
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys
secret:
secretName: keystone-fernet-keys
{{- end }}
- name: keystone-credential-keys
secret:
secretName: keystone-credential-keys
{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
{{- end }}

View File

@ -25,7 +25,7 @@ release_group: null
images: images:
tags: tags:
keystone_bootstrap: docker.io/openstackhelm/heat:newton bootstrap: docker.io/openstackhelm/heat:newton
test: docker.io/kolla/ubuntu-source-rally:4.0.0 test: docker.io/kolla/ubuntu-source-rally:4.0.0
db_init: docker.io/openstackhelm/heat:newton db_init: docker.io/openstackhelm/heat:newton
keystone_db_sync: docker.io/openstackhelm/keystone:newton keystone_db_sync: docker.io/openstackhelm/keystone:newton
@ -36,6 +36,7 @@ images:
keystone_credential_setup: docker.io/openstackhelm/keystone:newton keystone_credential_setup: docker.io/openstackhelm/keystone:newton
keystone_credential_rotate: docker.io/openstackhelm/keystone:newton keystone_credential_rotate: docker.io/openstackhelm/keystone:newton
keystone_api: docker.io/openstackhelm/keystone:newton keystone_api: docker.io/openstackhelm/keystone:newton
keystone_domain_manage: docker.io/openstackhelm/keystone:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
pull_policy: "IfNotPresent" pull_policy: "IfNotPresent"
@ -112,6 +113,12 @@ dependencies:
services: services:
- service: identity - service: identity
endpoint: internal endpoint: internal
jobs:
- keystone-domain-manage
domain_manage:
services:
- service: identity
endpoint: internal
pod: pod:
affinity: affinity:
@ -148,6 +155,9 @@ pod:
keystone_credential_rotate: keystone_credential_rotate:
init_container: null init_container: null
keystone_credential_rotate: keystone_credential_rotate:
keystone_domain_manage:
init_container: null
keystone_domain_manage:
replicas: replicas:
api: 1 api: 1
lifecycle: lifecycle:
@ -181,6 +191,13 @@ pod:
limits: limits:
memory: "1024Mi" memory: "1024Mi"
cpu: "2000m" cpu: "2000m"
domain_manage:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init: db_init:
requests: requests:
memory: "128Mi" memory: "128Mi"
@ -807,6 +824,7 @@ manifests:
job_db_init: true job_db_init: true
job_db_sync: true job_db_sync: true
job_db_drop: false job_db_drop: false
job_domain_manage: true
job_fernet_setup: true job_fernet_setup: true
pdb_api: true pdb_api: true
pod_rally_test: true pod_rally_test: true

View File

@ -242,21 +242,22 @@ data:
labels: labels:
application: keystone application: keystone
component: credential-setup component: credential-setup
- name: keystone-db-init - type: job
type: job
labels: labels:
application: keystone application: keystone
component: db-init component: db-init
- name: keystone-db-sync - type: job
type: job
labels: labels:
application: keystone application: keystone
component: db-sync component: db-sync
- name: keystone-fernet-setup - type: job
type: job
labels: labels:
application: keystone application: keystone
component: fernet-setup component: fernet-setup
- type: job
labels:
application: keystone
component: domain-manage
values: values:
endpoints: endpoints:
identity: identity:

View File

@ -35,11 +35,17 @@ images:
heat_engine: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3' heat_engine: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3'
horizon: 'docker.io/kolla/ubuntu-source-horizon:ocata' horizon: 'docker.io/kolla/ubuntu-source-horizon:ocata'
horizon_db_sync: 'docker.io/kolla/ubuntu-source-horizon:ocata' horizon_db_sync: 'docker.io/kolla/ubuntu-source-horizon:ocata'
ironic_api: 'docker.io/kolla/ubuntu-source-ironic-api:3.0.3'
ironic_bootstrap: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3'
ironic_conductor: 'docker.io/kolla/ubuntu-source-ironic-conductor:3.0.3'
ironic_db_sync: 'docker.io/kolla/ubuntu-source-ironic-api:3.0.3'
ironic_pxe: 'docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3'
ironic_pxe_init: 'docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3'
keystone_api: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_api: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_bootstrap: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_credential_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_credential_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_credential_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_credential_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_db_sync: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_db_sync: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_domain_manage: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_fernet_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_fernet_rotate: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
keystone_fernet_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3' keystone_fernet_setup: 'docker.io/kolla/ubuntu-source-keystone:3.0.3'
ks_endpoints: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3' ks_endpoints: 'docker.io/kolla/ubuntu-source-heat-engine:3.0.3'
@ -74,12 +80,6 @@ images:
senlin_db_sync: 'docker.io/kolla/ubuntu-source-senlin-api:3.0.3' senlin_db_sync: 'docker.io/kolla/ubuntu-source-senlin-api:3.0.3'
senlin_engine: 'docker.io/kolla/ubuntu-source-senlin-engine:3.0.3' senlin_engine: 'docker.io/kolla/ubuntu-source-senlin-engine:3.0.3'
test: 'docker.io/kolla/ubuntu-source-rally:4.0.0' test: 'docker.io/kolla/ubuntu-source-rally:4.0.0'
ironic_bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ironic_db_sync: docker.io/kolla/ubuntu-source-ironic-api:3.0.3
ironic_api: docker.io/kolla/ubuntu-source-ironic-api:3.0.3
ironic_conductor: docker.io/kolla/ubuntu-source-ironic-conductor:3.0.3
ironic_pxe: docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3
ironic_pxe_init: docker.io/kolla/ubuntu-source-ironic-pxe:3.0.3
pod: pod:
user: user:
barbican: barbican: