diff --git a/api/bases/heat.openstack.org_heatapis.yaml b/api/bases/heat.openstack.org_heatapis.yaml index 626b8a4e..2b818ec6 100644 --- a/api/bases/heat.openstack.org_heatapis.yaml +++ b/api/bases/heat.openstack.org_heatapis.yaml @@ -275,6 +275,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/api/bases/heat.openstack.org_heatcfnapis.yaml b/api/bases/heat.openstack.org_heatcfnapis.yaml index 10ca472d..4c9bc5fc 100644 --- a/api/bases/heat.openstack.org_heatcfnapis.yaml +++ b/api/bases/heat.openstack.org_heatcfnapis.yaml @@ -275,6 +275,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/api/bases/heat.openstack.org_heatengines.yaml b/api/bases/heat.openstack.org_heatengines.yaml index 4561b7b6..aa9ce459 100644 --- a/api/bases/heat.openstack.org_heatengines.yaml +++ b/api/bases/heat.openstack.org_heatengines.yaml @@ -101,6 +101,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/api/bases/heat.openstack.org_heats.yaml b/api/bases/heat.openstack.org_heats.yaml index a8921139..5f383d5a 100644 --- a/api/bases/heat.openstack.org_heats.yaml +++ b/api/bases/heat.openstack.org_heats.yaml @@ -819,6 +819,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object preserveJobs: default: false diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index f587a426..0ba386fa 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -98,4 +98,8 @@ type PasswordSelector struct { // +kubebuilder:default="HeatAuthEncryptionKey" // AuthEncryptionKey - Selector to get the heat auth encryption key from the Secret AuthEncryptionKey string `json:"authEncryptionKey"` + // +kubebuilder:validation:Optional + // +kubebuilder:default="HeatStackDomainAdminPassword" + // StackDomainAdminPassword - Selector to get the heat stack domain admin password from the Secret + StackDomainAdminPassword string `json:"stackDomainAdminPassword"` } diff --git a/config/crd/bases/heat.openstack.org_heatapis.yaml b/config/crd/bases/heat.openstack.org_heatapis.yaml index 626b8a4e..2b818ec6 100644 --- a/config/crd/bases/heat.openstack.org_heatapis.yaml +++ b/config/crd/bases/heat.openstack.org_heatapis.yaml @@ -275,6 +275,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/config/crd/bases/heat.openstack.org_heatcfnapis.yaml b/config/crd/bases/heat.openstack.org_heatcfnapis.yaml index 10ca472d..4c9bc5fc 100644 --- a/config/crd/bases/heat.openstack.org_heatcfnapis.yaml +++ b/config/crd/bases/heat.openstack.org_heatcfnapis.yaml @@ -275,6 +275,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/config/crd/bases/heat.openstack.org_heatengines.yaml b/config/crd/bases/heat.openstack.org_heatengines.yaml index 4561b7b6..aa9ce459 100644 --- a/config/crd/bases/heat.openstack.org_heatengines.yaml +++ b/config/crd/bases/heat.openstack.org_heatengines.yaml @@ -101,6 +101,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object replicas: default: 1 diff --git a/config/crd/bases/heat.openstack.org_heats.yaml b/config/crd/bases/heat.openstack.org_heats.yaml index a8921139..5f383d5a 100644 --- a/config/crd/bases/heat.openstack.org_heats.yaml +++ b/config/crd/bases/heat.openstack.org_heats.yaml @@ -819,6 +819,11 @@ spec: description: Service - Selector to get the heat service password from the Secret type: string + stackDomainAdminPassword: + default: HeatStackDomainAdminPassword + description: StackDomainAdminPassword - Selector to get the heat + stack domain admin password from the Secret + type: string type: object preserveJobs: default: false diff --git a/controllers/heat_controller.go b/controllers/heat_controller.go index b93f7137..a73c6ac7 100644 --- a/controllers/heat_controller.go +++ b/controllers/heat_controller.go @@ -953,6 +953,13 @@ func (r *HeatReconciler) generateServiceSecrets( return err } password := strings.TrimSuffix(string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]), "\n") + + domainAdminPassword := password + val, ok := ospSecret.Data[instance.Spec.PasswordSelectors.StackDomainAdminPassword] + if ok { + domainAdminPassword = strings.TrimSuffix(string(val), "\n") + } + authEncryptionKey, err := validateAuthEncryptionKey(instance, ospSecret) if err != nil { return err @@ -967,7 +974,7 @@ func (r *HeatReconciler) generateServiceSecrets( databaseAccount := db.GetAccount() dbSecret := db.GetSecret() - templateParameters := initTemplateParameters(instance, authURL, password, authEncryptionKey, transportURL, mc, databaseAccount, dbSecret) + templateParameters := initTemplateParameters(instance, authURL, password, domainAdminPassword, authEncryptionKey, transportURL, mc, databaseAccount, dbSecret) // Render vhost configuration for API and CFN httpdAPIVhostConfig := map[string]interface{}{} @@ -1048,6 +1055,11 @@ func (r *HeatReconciler) ensureStackDomain( } password := strings.TrimSuffix(string(val), "\n") + domainAdminPassword := password + val, ok = secret.Data[instance.Spec.PasswordSelectors.StackDomainAdminPassword] + if ok { + domainAdminPassword = strings.TrimSuffix(string(val), "\n") + } // // get admin authentication OpenStack // @@ -1082,7 +1094,7 @@ func (r *HeatReconciler) ensureStackDomain( r.Log, openstack.User{ Name: heat.StackDomainAdminUsername, - Password: password, + Password: domainAdminPassword, DomainID: domainID, }) if err != nil { @@ -1301,6 +1313,7 @@ func initTemplateParameters( instance *heatv1beta1.Heat, authURL string, password string, + domainAdminPassword string, authEncryptionKey string, transportURL string, mc *memcachedv1.Memcached, @@ -1321,6 +1334,7 @@ func initTemplateParameters( "ServicePassword": password, "StackDomainAdminUsername": heat.StackDomainAdminUsername, "StackDomainName": heat.StackDomainName, + "StackDomainAdminPassword": domainAdminPassword, "AuthEncryptionKey": authEncryptionKey, "TransportURL": transportURL, "MemcachedServers": mc.GetMemcachedServerListString(), diff --git a/templates/heat/config/00-default.conf b/templates/heat/config/00-default.conf index 2489258d..ce8c0316 100644 --- a/templates/heat/config/00-default.conf +++ b/templates/heat/config/00-default.conf @@ -2,7 +2,7 @@ region_name_for_services=regionOne stack_user_domain_name={{ .StackDomainName }} stack_domain_admin={{ .StackDomainAdminUsername }} -stack_domain_admin_password={{ .ServicePassword }} +stack_domain_admin_password={{ .StackDomainAdminPassword }} num_engine_workers=4 auth_encryption_key={{ .AuthEncryptionKey }} use_stderr=true diff --git a/tests/kuttl/common/assert-sample-deployment.yaml b/tests/kuttl/common/assert-sample-deployment.yaml index 488fb324..52322d3a 100644 --- a/tests/kuttl/common/assert-sample-deployment.yaml +++ b/tests/kuttl/common/assert-sample-deployment.yaml @@ -32,6 +32,7 @@ spec: memcachedInstance: memcached passwordSelectors: authEncryptionKey: HeatAuthEncryptionKey + stackDomainAdminPassword: HeatStackDomainAdminPassword service: HeatPassword preserveJobs: false rabbitMqClusterName: rabbitmq @@ -61,6 +62,7 @@ spec: databaseAccount: heat passwordSelectors: authEncryptionKey: HeatAuthEncryptionKey + stackDomainAdminPassword: HeatStackDomainAdminPassword service: HeatPassword replicas: 1 resources: {} @@ -88,6 +90,7 @@ spec: databaseAccount: heat passwordSelectors: authEncryptionKey: HeatAuthEncryptionKey + stackDomainAdminPassword: HeatStackDomainAdminPassword service: HeatPassword replicas: 1 resources: {} @@ -115,6 +118,7 @@ spec: databaseAccount: heat passwordSelectors: authEncryptionKey: HeatAuthEncryptionKey + stackDomainAdminPassword: HeatStackDomainAdminPassword service: HeatPassword replicas: 1 resources: {}