Add HeatStackDomainAdminPassword to heat passwords

This is different in OSP 17.1 environments and we can't assume it to be the same as service password. Signed-off-by: rabi <[email protected]>
openstack-k8s-operators · Oct 24, 2024 · 0941fe6 · 0941fe6
1 parent 7219355
commit 0941fe6
Show file tree

Hide file tree

Showing 12 changed files with 65 additions and 3 deletions.
diff --git a/api/bases/heat.openstack.org_heatapis.yaml b/api/bases/heat.openstack.org_heatapis.yaml
@@ -275,6 +275,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/api/bases/heat.openstack.org_heatcfnapis.yaml b/api/bases/heat.openstack.org_heatcfnapis.yaml
@@ -275,6 +275,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/api/bases/heat.openstack.org_heatengines.yaml b/api/bases/heat.openstack.org_heatengines.yaml
@@ -101,6 +101,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/api/bases/heat.openstack.org_heats.yaml b/api/bases/heat.openstack.org_heats.yaml
@@ -819,6 +819,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               preserveJobs:
                 default: false

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -98,4 +98,8 @@ type PasswordSelector struct {
 	// +kubebuilder:default="HeatAuthEncryptionKey"
 	// AuthEncryptionKey - Selector to get the heat auth encryption key from the Secret
 	AuthEncryptionKey string `json:"authEncryptionKey"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="HeatStackDomainAdminPassword"
+	// StackDomainAdminPassword - Selector to get the heat stack domain admin password from the Secret
+	StackDomainAdminPassword string `json:"stackDomainAdminPassword"`
 }
diff --git a/config/crd/bases/heat.openstack.org_heatapis.yaml b/config/crd/bases/heat.openstack.org_heatapis.yaml
@@ -275,6 +275,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/config/crd/bases/heat.openstack.org_heatcfnapis.yaml b/config/crd/bases/heat.openstack.org_heatcfnapis.yaml
@@ -275,6 +275,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/config/crd/bases/heat.openstack.org_heatengines.yaml b/config/crd/bases/heat.openstack.org_heatengines.yaml
@@ -101,6 +101,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               replicas:
                 default: 1

diff --git a/config/crd/bases/heat.openstack.org_heats.yaml b/config/crd/bases/heat.openstack.org_heats.yaml
@@ -819,6 +819,11 @@ spec:
                     description: Service - Selector to get the heat service password
                       from the Secret
                     type: string
+                  stackDomainAdminPassword:
+                    default: HeatStackDomainAdminPassword
+                    description: StackDomainAdminPassword - Selector to get the heat
+                      stack domain admin password from the Secret
+                    type: string
                 type: object
               preserveJobs:
                 default: false

diff --git a/controllers/heat_controller.go b/controllers/heat_controller.go
@@ -953,6 +953,13 @@ func (r *HeatReconciler) generateServiceSecrets(
 		return err
 	}
 	password := strings.TrimSuffix(string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), "\n")
+
+	domainAdminPassword := password
+	val, ok := ospSecret.Data[instance.Spec.PasswordSelectors.StackDomainAdminPassword]
+	if ok {
+		domainAdminPassword = strings.TrimSuffix(string(val), "\n")
+	}
+
 	authEncryptionKey, err := validateAuthEncryptionKey(instance, ospSecret)
 	if err != nil {
 		return err
@@ -967,7 +974,7 @@ func (r *HeatReconciler) generateServiceSecrets(
 	databaseAccount := db.GetAccount()
 	dbSecret := db.GetSecret()
 
-	templateParameters := initTemplateParameters(instance, authURL, password, authEncryptionKey, transportURL, mc, databaseAccount, dbSecret)
+	templateParameters := initTemplateParameters(instance, authURL, password, domainAdminPassword, authEncryptionKey, transportURL, mc, databaseAccount, dbSecret)
 
 	// Render vhost configuration for API and CFN
 	httpdAPIVhostConfig := map[string]interface{}{}
@@ -1048,6 +1055,11 @@ func (r *HeatReconciler) ensureStackDomain(
 	}
 	password := strings.TrimSuffix(string(val), "\n")
 
+	domainAdminPassword := password
+	val, ok = secret.Data[instance.Spec.PasswordSelectors.StackDomainAdminPassword]
+	if ok {
+		domainAdminPassword = strings.TrimSuffix(string(val), "\n")
+	}
 	//
 	// get admin authentication OpenStack
 	//
@@ -1082,7 +1094,7 @@ func (r *HeatReconciler) ensureStackDomain(
 		r.Log,
 		openstack.User{
 			Name:     heat.StackDomainAdminUsername,
-			Password: password,
+			Password: domainAdminPassword,
 			DomainID: domainID,
 		})
 	if err != nil {
@@ -1301,6 +1313,7 @@ func initTemplateParameters(
 	instance *heatv1beta1.Heat,
 	authURL string,
 	password string,
+	domainAdminPassword string,
 	authEncryptionKey string,
 	transportURL string,
 	mc *memcachedv1.Memcached,
@@ -1321,6 +1334,7 @@ func initTemplateParameters(
 		"ServicePassword":          password,
 		"StackDomainAdminUsername": heat.StackDomainAdminUsername,
 		"StackDomainName":          heat.StackDomainName,
+		"StackDomainAdminPassword": domainAdminPassword,
 		"AuthEncryptionKey":        authEncryptionKey,
 		"TransportURL":             transportURL,
 		"MemcachedServers":         mc.GetMemcachedServerListString(),

diff --git a/templates/heat/config/00-default.conf b/templates/heat/config/00-default.conf
@@ -2,7 +2,7 @@
 region_name_for_services=regionOne
 stack_user_domain_name={{ .StackDomainName }}
 stack_domain_admin={{ .StackDomainAdminUsername }}
-stack_domain_admin_password={{ .ServicePassword }}
+stack_domain_admin_password={{ .StackDomainAdminPassword }}
 num_engine_workers=4
 auth_encryption_key={{ .AuthEncryptionKey }}
 use_stderr=true

diff --git a/tests/kuttl/common/assert-sample-deployment.yaml b/tests/kuttl/common/assert-sample-deployment.yaml
@@ -32,6 +32,7 @@ spec:
   memcachedInstance: memcached
   passwordSelectors:
     authEncryptionKey: HeatAuthEncryptionKey
+    stackDomainAdminPassword: HeatStackDomainAdminPassword
     service: HeatPassword
   preserveJobs: false
   rabbitMqClusterName: rabbitmq
@@ -61,6 +62,7 @@ spec:
   databaseAccount: heat
   passwordSelectors:
     authEncryptionKey: HeatAuthEncryptionKey
+    stackDomainAdminPassword: HeatStackDomainAdminPassword
     service: HeatPassword
   replicas: 1
   resources: {}
@@ -88,6 +90,7 @@ spec:
   databaseAccount: heat
   passwordSelectors:
     authEncryptionKey: HeatAuthEncryptionKey
+    stackDomainAdminPassword: HeatStackDomainAdminPassword
     service: HeatPassword
   replicas: 1
   resources: {}
@@ -115,6 +118,7 @@ spec:
   databaseAccount: heat
   passwordSelectors:
     authEncryptionKey: HeatAuthEncryptionKey
+    stackDomainAdminPassword: HeatStackDomainAdminPassword
     service: HeatPassword
   replicas: 1
   resources: {}