From b1f87e1ee86f26e476172e0e7a74f96fcd179ce1 Mon Sep 17 00:00:00 2001 From: rajivmucheli Date: Wed, 27 Nov 2024 12:42:53 +0530 Subject: [PATCH 1/5] [Keystone] support secret-injector With the recent version bump we got a new helper in the `utils` chart that makes it possible to support `secrets-injector` secrets will still maintaining compatibility. This is also required for upcoming PCI audit and secret rotation.. --- openstack/keystone/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openstack/keystone/Chart.yaml b/openstack/keystone/Chart.yaml index 0f16cc660fa..3a04b1d7e5b 100644 --- a/openstack/keystone/Chart.yaml +++ b/openstack/keystone/Chart.yaml @@ -9,7 +9,7 @@ maintainers: name: keystone sources: - https://github.com/sapcc/keystone -version: 0.7.3 +version: 0.7.4 dependencies: - condition: mariadb.enabled name: mariadb @@ -36,7 +36,7 @@ dependencies: version: 1.1.7 - name: utils repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm - version: 0.15.0 + version: 0.19.6 - name: linkerd-support repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm version: 0.1.4 From ac65e96f737e0b2140cabb760476b353d93f1de8 Mon Sep 17 00:00:00 2001 From: rajivmucheli Date: Wed, 27 Nov 2024 15:37:56 +0530 Subject: [PATCH 2/5] add resolve_secret to password values --- openstack/keystone/templates/bin/_bootstrap.tpl | 2 +- openstack/keystone/templates/etc/_secrets.conf.tpl | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/openstack/keystone/templates/bin/_bootstrap.tpl b/openstack/keystone/templates/bin/_bootstrap.tpl index a62c6c82ca7..58aca1d362d 100644 --- a/openstack/keystone/templates/bin/_bootstrap.tpl +++ b/openstack/keystone/templates/bin/_bootstrap.tpl @@ -4,7 +4,7 @@ set -ex # seed just enough to have a functional v3 api keystone-manage --config-file=/etc/keystone/keystone.conf --config-file=/etc/keystone/keystone.conf.d/secrets.conf bootstrap \ --bootstrap-username {{ .Values.api.adminUser }} \ - --bootstrap-password {{ required "A valid .Values.api.adminPassword required!" .Values.api.adminPassword }} \ + --bootstrap-password {{ required "A valid .Values.api.adminPassword required!" .Values.api.adminPassword | include "resolve_secret" }} \ --bootstrap-project-name {{ .Values.api.adminProjectName }} \ {{- if eq .Values.services.admin.scheme "https" }} --bootstrap-admin-url https://{{.Values.services.admin.host}}.{{.Values.global.region}}.{{.Values.global.tld}}/v3 \ diff --git a/openstack/keystone/templates/etc/_secrets.conf.tpl b/openstack/keystone/templates/etc/_secrets.conf.tpl index 88e88321c0d..013417ef5a0 100644 --- a/openstack/keystone/templates/etc/_secrets.conf.tpl +++ b/openstack/keystone/templates/etc/_secrets.conf.tpl @@ -4,14 +4,14 @@ {{ if .Values.percona_cluster.enabled -}} {{/* in caase percona is active and we need to switch the connection string to mariadb-galera cluster without removing the percona cluster objects */}} {{- if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}} -connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 +connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 {{- else }} connection = {{ include "db_url_pxc" . }} {{- end }} {{- else if .Values.global.clusterDomain -}} -connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8 +connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword | include "resolve_secret" }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8 {{- else if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}} -connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 +connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 {{- else }} connection = {{ include "db_url_mysql" . }} {{- end }} @@ -20,14 +20,14 @@ connection = {{ include "db_url_mysql" . }} [cache] memcache_sasl_enabled = True memcache_username = {{ .Values.memcached.auth.username }} -memcache_password = {{ .Values.memcached.auth.password }} +memcache_password = {{ .Values.memcached.auth.password | include "resolve_secret" }} {{- end }} {{- if not (and (hasKey $.Values "oslo_messaging_notifications") ($.Values.oslo_messaging_notifications.disabled)) }} [oslo_messaging_notifications] driver = messaging {{- if and (.Values.audit.central_service.user) (.Values.audit.central_service.password) }} -transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ +transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password | include "resolve_secret" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ [oslo_messaging_rabbit] rabbit_retry_interval = {{ .Values.audit.central_service.rabbit_retry_interval | default 1 }} @@ -41,9 +41,9 @@ heartbeat_timeout_threshold = {{ .Values.audit.central_service.heartbeat_timeout when rabbit_interval_max >= rabbit_retry_interval */}} {{- else if .Values.rabbitmq.host }} -transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }} +transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret" }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }} {{ else }} -transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }} +transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret" }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }} {{- end }} {{- end }} From 42ba27e1b7fc5041632a632b26dbc5642fd65daf Mon Sep 17 00:00:00 2001 From: rajivmucheli Date: Wed, 27 Nov 2024 16:00:44 +0530 Subject: [PATCH 3/5] sync chart.lock --- openstack/keystone/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openstack/keystone/Chart.lock b/openstack/keystone/Chart.lock index 66cf3476878..3c93cd138da 100644 --- a/openstack/keystone/Chart.lock +++ b/openstack/keystone/Chart.lock @@ -19,9 +19,9 @@ dependencies: version: 1.1.7 - name: utils repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm - version: 0.15.0 + version: 0.19.6 - name: linkerd-support repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm version: 0.1.4 -digest: sha256:7f3e9665e9e649af94735fe7b6233667353fe5aca639dc86e295def90a56f4b7 -generated: "2024-09-30T20:42:46.060829+05:30" +digest: sha256:6e608d38f5aed8d81e803f77462f441132614f6487e6ca037e7dc61a2b47ae60 +generated: "2024-11-27T16:00:14.156431+05:30" From 4adefa764c48d50213b83af4fd062963276f2370 Mon Sep 17 00:00:00 2001 From: rajivmucheli Date: Wed, 27 Nov 2024 16:13:55 +0530 Subject: [PATCH 4/5] use resolve_secret_urlquery for url --- openstack/keystone/templates/etc/_secrets.conf.tpl | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openstack/keystone/templates/etc/_secrets.conf.tpl b/openstack/keystone/templates/etc/_secrets.conf.tpl index 013417ef5a0..b687f928cf4 100644 --- a/openstack/keystone/templates/etc/_secrets.conf.tpl +++ b/openstack/keystone/templates/etc/_secrets.conf.tpl @@ -4,14 +4,14 @@ {{ if .Values.percona_cluster.enabled -}} {{/* in caase percona is active and we need to switch the connection string to mariadb-galera cluster without removing the percona cluster objects */}} {{- if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}} -connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 +connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 {{- else }} connection = {{ include "db_url_pxc" . }} {{- end }} {{- else if .Values.global.clusterDomain -}} -connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword | include "resolve_secret" }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8 +connection = mysql+pymysql://{{ default .Release.Name .Values.global.dbUser }}:{{.Values.global.dbPassword | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ default .Release.Name .Values.mariadb.name }}?charset=utf8 {{- else if and .Values.mariadb_galera.enabled .Values.databaseKind (eq .Values.databaseKind "galera") -}} -connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 +connection = mysql+pymysql://{{ .Values.mariadb_galera.mariadb.users.keystone.username }}:{{.Values.mariadb_galera.mariadb.users.keystone.password | include "resolve_secret_urlquery" }}@{{include "db_host" .}}/{{ .Values.mariadb_galera.mariadb.database_name_to_connect }}?charset=utf8 {{- else }} connection = {{ include "db_url_mysql" . }} {{- end }} @@ -27,7 +27,7 @@ memcache_password = {{ .Values.memcached.auth.password | include "resolve_secret [oslo_messaging_notifications] driver = messaging {{- if and (.Values.audit.central_service.user) (.Values.audit.central_service.password) }} -transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password | include "resolve_secret" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ +transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password | include "resolve_secret_urlquery" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ [oslo_messaging_rabbit] rabbit_retry_interval = {{ .Values.audit.central_service.rabbit_retry_interval | default 1 }} @@ -41,9 +41,9 @@ heartbeat_timeout_threshold = {{ .Values.audit.central_service.heartbeat_timeout when rabbit_interval_max >= rabbit_retry_interval */}} {{- else if .Values.rabbitmq.host }} -transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret" }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }} +transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret_urlquery" }}@{{ .Values.rabbitmq.host }}:{{ .Values.rabbitmq.port | default 5672 }} {{ else }} -transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret" }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }} +transport_url = rabbit://{{ .Values.rabbitmq.users.default.user | default "rabbitmq" }}:{{ .Values.rabbitmq.users.default.password | include "resolve_secret_urlquery" }}@{{ include "rabbitmq_host" . }}:{{ .Values.rabbitmq.port | default 5672 }} {{- end }} {{- end }} From 991bfa2047f93d53c56f46f53d6ff8ecdb8ea59a Mon Sep 17 00:00:00 2001 From: rajivmucheli Date: Wed, 27 Nov 2024 17:16:09 +0530 Subject: [PATCH 5/5] add resolve_secret_urlquery to .Values.audit.central_service.user --- openstack/keystone/templates/etc/_secrets.conf.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openstack/keystone/templates/etc/_secrets.conf.tpl b/openstack/keystone/templates/etc/_secrets.conf.tpl index b687f928cf4..779a9c9990c 100644 --- a/openstack/keystone/templates/etc/_secrets.conf.tpl +++ b/openstack/keystone/templates/etc/_secrets.conf.tpl @@ -27,7 +27,7 @@ memcache_password = {{ .Values.memcached.auth.password | include "resolve_secret [oslo_messaging_notifications] driver = messaging {{- if and (.Values.audit.central_service.user) (.Values.audit.central_service.password) }} -transport_url = rabbit://{{ .Values.audit.central_service.user }}:{{ .Values.audit.central_service.password | include "resolve_secret_urlquery" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ +transport_url = rabbit://{{ .Values.audit.central_service.user | include "resolve_secret_urlquery" }}:{{ .Values.audit.central_service.password | include "resolve_secret_urlquery" }}@{{ .Values.audit.central_service.host }}:{{ .Values.audit.central_service.port }}/ [oslo_messaging_rabbit] rabbit_retry_interval = {{ .Values.audit.central_service.rabbit_retry_interval | default 1 }}