From afa0ecd1dfedb87fef916597d52f5dca60c3a865 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Fri, 13 Jan 2017 00:22:00 +0000 Subject: [PATCH] Keystone Load Complete Configs This PS loads all the required keystone configuration files into a container for an apache based deployment. It allows OpenStack-Helm to be image agnosic, meaning operators can use any Apache based Keystone image they want. --- keystone/templates/bin/_db-sync.sh.tpl | 27 +-- keystone/templates/bin/_init.sh.tpl | 19 +- keystone/templates/bin/_start.sh.tpl | 16 +- keystone/templates/configmap-etc.yaml | 8 +- keystone/templates/deployment.yaml | 43 +++- .../templates/etc/_keystone-paste.ini.tpl | 97 +++++++++ keystone/templates/etc/_policy.json.tpl | 199 ++++++++++++++++++ .../etc/_sso_callback_template.html.tpl | 22 ++ .../templates/etc/_wsgi-keystone.conf.tpl | 17 +- keystone/templates/job-db-sync.yaml | 8 +- keystone/values.yaml | 1 - 11 files changed, 419 insertions(+), 38 deletions(-) create mode 100644 keystone/templates/etc/_keystone-paste.ini.tpl create mode 100644 keystone/templates/etc/_policy.json.tpl create mode 100644 keystone/templates/etc/_sso_callback_template.html.tpl diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl index 89c4c5de84..e4f69c7214 100644 --- a/keystone/templates/bin/_db-sync.sh.tpl +++ b/keystone/templates/bin/_db-sync.sh.tpl @@ -1,22 +1,13 @@ #!/bin/bash set -ex -# order of kolla_keystone_bootstrap urls -# for those of looking for a little expanation -# to a mysterious blackbox -# -# these will feed into the keystone endpoints -# so it is important they are correct -# -# keystone_admin_url -# keystone_internal_url -# keystone_public_url - -keystone-manage db_sync -kolla_keystone_bootstrap {{ .Values.keystone.admin_user }} {{ .Values.keystone.admin_password }} \ - {{ .Values.keystone.admin_project_name }} admin \ - {{ include "endpoint_keystone_admin" . }} \ - {{ include "endpoint_keystone_internal" . }} \ - {{ include "endpoint_keystone_internal" . }} \ - {{ .Values.keystone.admin_region_name }} +keystone-manage --config-file=/etc/keystone/keystone.conf db_sync +keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \ + --bootstrap-username {{ .Values.keystone.admin_user }} \ + --bootstrap-password {{ .Values.keystone.admin_password }} \ + --bootstrap-project-name {{ .Values.keystone.admin_project_name }} \ + --bootstrap-admin-url {{ include "endpoint_keystone_admin" . }} \ + --bootstrap-public-url {{ include "endpoint_keystone_internal" . }} \ + --bootstrap-internal-url {{ include "endpoint_keystone_internal" . }} \ + --bootstrap-region-id {{ .Values.keystone.admin_region_name }} diff --git a/keystone/templates/bin/_init.sh.tpl b/keystone/templates/bin/_init.sh.tpl index 0d47c4ba71..f48157a2ce 100644 --- a/keystone/templates/bin/_init.sh.tpl +++ b/keystone/templates/bin/_init.sh.tpl @@ -2,5 +2,20 @@ set -ex export HOME=/tmp -ansible localhost -vvv -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_database_name }}'" -ansible localhost -vvv -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' login_port='{{ .Values.database.port }}' login_user='{{ .Values.database.root_user }}' login_password='{{ .Values.database.root_password }}' name='{{ .Values.database.keystone_user }}' password='{{ .Values.database.keystone_password }}' host='%' priv='{{ .Values.database.keystone_database_name }}.*:ALL' append_privs='yes'" +ansible localhost -vvv \ + -m mysql_db -a "login_host='{{ include "keystone_db_host" . }}' \ + login_port='{{ .Values.database.port }}' \ + login_user='{{ .Values.database.root_user }}' \ + login_password='{{ .Values.database.root_password }}' \ + name='{{ .Values.database.keystone_database_name }}'" + +ansible localhost -vvv \ + -m mysql_user -a "login_host='{{ include "keystone_db_host" . }}' \ + login_port='{{ .Values.database.port }}' \ + login_user='{{ .Values.database.root_user }}' \ + login_password='{{ .Values.database.root_password }}' \ + name='{{ .Values.database.keystone_user }}' \ + password='{{ .Values.database.keystone_password }}' \ + host='%' \ + priv='{{ .Values.database.keystone_database_name }}.*:ALL' \ + append_privs='yes'" diff --git a/keystone/templates/bin/_start.sh.tpl b/keystone/templates/bin/_start.sh.tpl index 4bafe63ee4..72529c2f32 100644 --- a/keystone/templates/bin/_start.sh.tpl +++ b/keystone/templates/bin/_start.sh.tpl @@ -1,8 +1,10 @@ -#!/bin/bash -set -ex - -# Loading Apache2 ENV variables -source /etc/apache2/envvars +#!/bin/bash +set -ex -# start apache with any container arguments -apache2 -DFOREGROUND $* +if [ -f /etc/apache2/envvars ]; then + # Loading Apache2 ENV variables + source /etc/apache2/envvars +fi + +# Start Apache2 +exec apache2 -DFOREGROUND diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index b59534ee98..3ad7dc8293 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -6,6 +6,12 @@ data: keystone.conf: |+ {{ tuple "etc/_keystone.conf.tpl" . | include "template" | indent 4 }} mpm_event.conf: |+ -{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }} +{{ tuple "etc/_mpm_event.conf.tpl" . | include "template" | indent 4 }} wsgi-keystone.conf: |+ {{ tuple "etc/_wsgi-keystone.conf.tpl" . | include "template" | indent 4 }} + policy.json: |+ +{{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }} + keystone-paste.ini: |+ +{{ tuple "etc/_keystone-paste.ini.tpl" . | include "template" | indent 4 }} + sso_callback_template.html: |+ +{{ tuple "etc/_sso_callback_template.html.tpl" . | include "template" | indent 4 }} diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml index 49917adaed..49b84d0084 100644 --- a/keystone/templates/deployment.yaml +++ b/keystone/templates/deployment.yaml @@ -11,14 +11,14 @@ spec: rollingUpdate: maxUnavailable: {{ .Values.upgrades.rolling_update.max_unavailable }} maxSurge: {{ .Values.upgrades.rolling_update.max_surge }} - {{ end }} + {{ end }} template: metadata: labels: app: keystone-api annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "hash" }} - configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "hash" }} pod.beta.kubernetes.io/init-containers: '[ { "name": "init", @@ -44,7 +44,7 @@ spec: { "name": "COMMAND", "value": "echo done" - } + } ] } ]' @@ -61,26 +61,62 @@ spec: ports: - containerPort: {{ .Values.network.port.public }} - containerPort: {{ .Values.network.port.admin }} + lifecycle: + preStop: + exec: + command: + - apachectl + - -k + - graceful-stop readinessProbe: tcpSocket: port: {{ .Values.network.port.public }} volumeMounts: + - name: pod-etc-keystone + mountPath: /etc/keystone - name: keystoneconf mountPath: /etc/keystone/keystone.conf subPath: keystone.conf + readOnly: true + - name: keystonepaste + mountPath: /etc/keystone/keystone-paste.ini + subPath: keystone-paste.ini + readOnly: true + - name: keystonepolicy + mountPath: /etc/keystone/policy.json + subPath: policy.json + readOnly: true + - name: keystonessotemplate + mountPath: /etc/keystone/sso_callback_template.html + subPath: sso_callback_template.html + readOnly: true - name: wsgikeystone mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf subPath: wsgi-keystone.conf + readOnly: true - name: mpmeventconf mountPath: /etc/apache2/mods-available/mpm_event.conf subPath: mpm_event.conf + readOnly: true - name: startsh mountPath: /tmp/start.sh subPath: start.sh + readOnly: true volumes: + - name: pod-etc-keystone + emptyDir: {} - name: keystoneconf configMap: name: keystone-etc + - name: keystonepaste + configMap: + name: keystone-etc + - name: keystonepolicy + configMap: + name: keystone-etc + - name: keystonessotemplate + configMap: + name: keystone-etc - name: wsgikeystone configMap: name: keystone-etc @@ -90,4 +126,3 @@ spec: - name: startsh configMap: name: keystone-bin - diff --git a/keystone/templates/etc/_keystone-paste.ini.tpl b/keystone/templates/etc/_keystone-paste.ini.tpl new file mode 100644 index 0000000000..0d058ac009 --- /dev/null +++ b/keystone/templates/etc/_keystone-paste.ini.tpl @@ -0,0 +1,97 @@ +# Keystone PasteDeploy configuration file. + +[filter:debug] +use = egg:oslo.middleware#debug + +[filter:request_id] +use = egg:oslo.middleware#request_id + +[filter:build_auth_context] +use = egg:keystone#build_auth_context + +[filter:token_auth] +use = egg:keystone#token_auth + +[filter:admin_token_auth] +# This is deprecated in the M release and will be removed in the O release. +# Use `keystone-manage bootstrap` and remove this from the pipelines below. +use = egg:keystone#admin_token_auth + +[filter:json_body] +use = egg:keystone#json_body + +[filter:cors] +use = egg:oslo.middleware#cors +oslo_config_project = keystone + +[filter:http_proxy_to_wsgi] +use = egg:oslo.middleware#http_proxy_to_wsgi + +[filter:healthcheck] +use = egg:oslo.middleware#healthcheck + +[filter:ec2_extension] +use = egg:keystone#ec2_extension + +[filter:ec2_extension_v3] +use = egg:keystone#ec2_extension_v3 + +[filter:s3_extension] +use = egg:keystone#s3_extension + +[filter:url_normalize] +use = egg:keystone#url_normalize + +[filter:sizelimit] +use = egg:oslo.middleware#sizelimit + +[filter:osprofiler] +use = egg:osprofiler#osprofiler + +[app:public_service] +use = egg:keystone#public_service + +[app:service_v3] +use = egg:keystone#service_v3 + +[app:admin_service] +use = egg:keystone#admin_service + +[pipeline:public_api] +# The last item in this pipeline must be public_service or an equivalent +# application. It cannot be a filter. +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service + +[pipeline:admin_api] +# The last item in this pipeline must be admin_service or an equivalent +# application. It cannot be a filter. +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service + +[pipeline:api_v3] +# The last item in this pipeline must be service_v3 or an equivalent +# application. It cannot be a filter. +pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 + +[app:public_version_service] +use = egg:keystone#public_version_service + +[app:admin_version_service] +use = egg:keystone#admin_version_service + +[pipeline:public_version_api] +pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service + +[pipeline:admin_version_api] +pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service + +[composite:main] +use = egg:Paste#urlmap +/v2.0 = public_api +/v3 = api_v3 +/ = public_version_api + +[composite:admin] +use = egg:Paste#urlmap +/v2.0 = admin_api +/v3 = api_v3 +/ = admin_version_api diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl new file mode 100644 index 0000000000..ddf2396272 --- /dev/null +++ b/keystone/templates/etc/_policy.json.tpl @@ -0,0 +1,199 @@ +{ + "admin_required": "role:admin or is_admin:1", + "service_role": "role:service", + "service_or_admin": "rule:admin_required or rule:service_role", + "owner" : "user_id:%(user_id)s", + "admin_or_owner": "rule:admin_required or rule:owner", + "token_subject": "user_id:%(target.token.user_id)s", + "admin_or_token_subject": "rule:admin_required or rule:token_subject", + "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", + + "default": "rule:admin_required", + + "identity:get_region": "", + "identity:list_regions": "", + "identity:create_region": "rule:admin_required", + "identity:update_region": "rule:admin_required", + "identity:delete_region": "rule:admin_required", + + "identity:get_service": "rule:admin_required", + "identity:list_services": "rule:admin_required", + "identity:create_service": "rule:admin_required", + "identity:update_service": "rule:admin_required", + "identity:delete_service": "rule:admin_required", + + "identity:get_endpoint": "rule:admin_required", + "identity:list_endpoints": "rule:admin_required", + "identity:create_endpoint": "rule:admin_required", + "identity:update_endpoint": "rule:admin_required", + "identity:delete_endpoint": "rule:admin_required", + + "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", + "identity:list_domains": "rule:admin_required", + "identity:create_domain": "rule:admin_required", + "identity:update_domain": "rule:admin_required", + "identity:delete_domain": "rule:admin_required", + + "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", + "identity:list_projects": "rule:admin_required", + "identity:list_user_projects": "rule:admin_or_owner", + "identity:create_project": "rule:admin_required", + "identity:update_project": "rule:admin_required", + "identity:delete_project": "rule:admin_required", + + "identity:get_user": "rule:admin_or_owner", + "identity:list_users": "rule:admin_required", + "identity:create_user": "rule:admin_required", + "identity:update_user": "rule:admin_required", + "identity:delete_user": "rule:admin_required", + "identity:change_password": "rule:admin_or_owner", + + "identity:get_group": "rule:admin_required", + "identity:list_groups": "rule:admin_required", + "identity:list_groups_for_user": "rule:admin_or_owner", + "identity:create_group": "rule:admin_required", + "identity:update_group": "rule:admin_required", + "identity:delete_group": "rule:admin_required", + "identity:list_users_in_group": "rule:admin_required", + "identity:remove_user_from_group": "rule:admin_required", + "identity:check_user_in_group": "rule:admin_required", + "identity:add_user_to_group": "rule:admin_required", + + "identity:get_credential": "rule:admin_required", + "identity:list_credentials": "rule:admin_required", + "identity:create_credential": "rule:admin_required", + "identity:update_credential": "rule:admin_required", + "identity:delete_credential": "rule:admin_required", + + "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + "identity:ec2_list_credentials": "rule:admin_or_owner", + "identity:ec2_create_credential": "rule:admin_or_owner", + "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + + "identity:get_role": "rule:admin_required", + "identity:list_roles": "rule:admin_required", + "identity:create_role": "rule:admin_required", + "identity:update_role": "rule:admin_required", + "identity:delete_role": "rule:admin_required", + "identity:get_domain_role": "rule:admin_required", + "identity:list_domain_roles": "rule:admin_required", + "identity:create_domain_role": "rule:admin_required", + "identity:update_domain_role": "rule:admin_required", + "identity:delete_domain_role": "rule:admin_required", + + "identity:get_implied_role": "rule:admin_required ", + "identity:list_implied_roles": "rule:admin_required", + "identity:create_implied_role": "rule:admin_required", + "identity:delete_implied_role": "rule:admin_required", + "identity:list_role_inference_rules": "rule:admin_required", + "identity:check_implied_role": "rule:admin_required", + + "identity:check_grant": "rule:admin_required", + "identity:list_grants": "rule:admin_required", + "identity:create_grant": "rule:admin_required", + "identity:revoke_grant": "rule:admin_required", + + "identity:list_role_assignments": "rule:admin_required", + "identity:list_role_assignments_for_tree": "rule:admin_required", + + "identity:get_policy": "rule:admin_required", + "identity:list_policies": "rule:admin_required", + "identity:create_policy": "rule:admin_required", + "identity:update_policy": "rule:admin_required", + "identity:delete_policy": "rule:admin_required", + + "identity:check_token": "rule:admin_or_token_subject", + "identity:validate_token": "rule:service_admin_or_token_subject", + "identity:validate_token_head": "rule:service_or_admin", + "identity:revocation_list": "rule:service_or_admin", + "identity:revoke_token": "rule:admin_or_token_subject", + + "identity:create_trust": "user_id:%(trust.trustor_user_id)s", + "identity:list_trusts": "", + "identity:list_roles_for_trust": "", + "identity:get_role_for_trust": "", + "identity:delete_trust": "", + + "identity:create_consumer": "rule:admin_required", + "identity:get_consumer": "rule:admin_required", + "identity:list_consumers": "rule:admin_required", + "identity:delete_consumer": "rule:admin_required", + "identity:update_consumer": "rule:admin_required", + + "identity:authorize_request_token": "rule:admin_required", + "identity:list_access_token_roles": "rule:admin_required", + "identity:get_access_token_role": "rule:admin_required", + "identity:list_access_tokens": "rule:admin_required", + "identity:get_access_token": "rule:admin_required", + "identity:delete_access_token": "rule:admin_required", + + "identity:list_projects_for_endpoint": "rule:admin_required", + "identity:add_endpoint_to_project": "rule:admin_required", + "identity:check_endpoint_in_project": "rule:admin_required", + "identity:list_endpoints_for_project": "rule:admin_required", + "identity:remove_endpoint_from_project": "rule:admin_required", + + "identity:create_endpoint_group": "rule:admin_required", + "identity:list_endpoint_groups": "rule:admin_required", + "identity:get_endpoint_group": "rule:admin_required", + "identity:update_endpoint_group": "rule:admin_required", + "identity:delete_endpoint_group": "rule:admin_required", + "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", + "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", + "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", + "identity:add_endpoint_group_to_project": "rule:admin_required", + "identity:remove_endpoint_group_from_project": "rule:admin_required", + + "identity:create_identity_provider": "rule:admin_required", + "identity:list_identity_providers": "rule:admin_required", + "identity:get_identity_providers": "rule:admin_required", + "identity:update_identity_provider": "rule:admin_required", + "identity:delete_identity_provider": "rule:admin_required", + + "identity:create_protocol": "rule:admin_required", + "identity:update_protocol": "rule:admin_required", + "identity:get_protocol": "rule:admin_required", + "identity:list_protocols": "rule:admin_required", + "identity:delete_protocol": "rule:admin_required", + + "identity:create_mapping": "rule:admin_required", + "identity:get_mapping": "rule:admin_required", + "identity:list_mappings": "rule:admin_required", + "identity:delete_mapping": "rule:admin_required", + "identity:update_mapping": "rule:admin_required", + + "identity:create_service_provider": "rule:admin_required", + "identity:list_service_providers": "rule:admin_required", + "identity:get_service_provider": "rule:admin_required", + "identity:update_service_provider": "rule:admin_required", + "identity:delete_service_provider": "rule:admin_required", + + "identity:get_auth_catalog": "", + "identity:get_auth_projects": "", + "identity:get_auth_domains": "", + + "identity:list_projects_for_user": "", + "identity:list_domains_for_user": "", + + "identity:list_revoke_events": "rule:service_or_admin", + + "identity:create_policy_association_for_endpoint": "rule:admin_required", + "identity:check_policy_association_for_endpoint": "rule:admin_required", + "identity:delete_policy_association_for_endpoint": "rule:admin_required", + "identity:create_policy_association_for_service": "rule:admin_required", + "identity:check_policy_association_for_service": "rule:admin_required", + "identity:delete_policy_association_for_service": "rule:admin_required", + "identity:create_policy_association_for_region_and_service": "rule:admin_required", + "identity:check_policy_association_for_region_and_service": "rule:admin_required", + "identity:delete_policy_association_for_region_and_service": "rule:admin_required", + "identity:get_policy_for_endpoint": "rule:admin_required", + "identity:list_endpoints_for_policy": "rule:admin_required", + + "identity:create_domain_config": "rule:admin_required", + "identity:get_domain_config": "rule:admin_required", + "identity:get_security_compliance_domain_config": "", + "identity:update_domain_config": "rule:admin_required", + "identity:delete_domain_config": "rule:admin_required", + "identity:get_domain_config_default": "rule:admin_required" +} diff --git a/keystone/templates/etc/_sso_callback_template.html.tpl b/keystone/templates/etc/_sso_callback_template.html.tpl new file mode 100644 index 0000000000..3364d69e55 --- /dev/null +++ b/keystone/templates/etc/_sso_callback_template.html.tpl @@ -0,0 +1,22 @@ + + + + Keystone WebSSO redirect + + +
+ Please wait... +
+ + +
+ + + diff --git a/keystone/templates/etc/_wsgi-keystone.conf.tpl b/keystone/templates/etc/_wsgi-keystone.conf.tpl index e6535eae85..f04bc7e1b6 100644 --- a/keystone/templates/etc/_wsgi-keystone.conf.tpl +++ b/keystone/templates/etc/_wsgi-keystone.conf.tpl @@ -1,6 +1,9 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.public }} Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }} +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy + WSGIDaemonProcess keystone-public processes=16 threads=6 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public @@ -10,8 +13,11 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }} = 2.4> ErrorLogFormat "%{cu}t %M" - ErrorLog "|$/bin/cat 1>&2" - CustomLog "|/bin/cat" combined + ErrorLog /dev/stderr + + SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + CustomLog /dev/stdout combined env=!forwarded + CustomLog /dev/stdout proxy env=forwarded @@ -23,6 +29,9 @@ Listen {{ .Values.network.ip_address }}:{{ .Values.network.port.admin }} = 2.4> ErrorLogFormat "%{cu}t %M" - ErrorLog "|$/bin/cat 1>&2" - CustomLog "|/bin/cat" combined + ErrorLog /dev/stderr + + SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + CustomLog /dev/stdout combined env=!forwarded + CustomLog /dev/stdout proxy env=forwarded diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index c1f4954279..403f1d60ee 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -15,7 +15,7 @@ spec: { "name": "NAMESPACE", "value": "{{ .Release.Namespace }}" - }, + }, { "name": "DEPENDENCY_SERVICE", "value": "{{ include "joinListWithColon" .Values.dependencies.db_sync.service }}" @@ -43,13 +43,19 @@ spec: - bash - /tmp/db-sync.sh volumeMounts: + - name: pod-etc-keystone + mountPath: /etc/keystone - name: keystoneconf mountPath: /etc/keystone/keystone.conf subPath: keystone.conf + readOnly: true - name: keystone-bin mountPath: /tmp/db-sync.sh subPath: db-sync.sh + readOnly: true volumes: + - name: pod-etc-keystone + emptyDir: {} - name: keystoneconf configMap: name: keystone-etc diff --git a/keystone/values.yaml b/keystone/values.yaml index a4a84a67bf..1088d2d010 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -90,4 +90,3 @@ endpoints: port: admin: 35357 public: 5000 -