fix(keystone): avoid resetting keys on each deploy

Due to the way OpenStack Helm sets the helm.sh/hook annotation on the
secrets always it causes a removal and re-apply of the secrets but
dropping all the generated data every time the keystone chart is
deployed. We do not want this behavior so disable OpenStack Helm
creating this secret for us and instead switch to just loading the
secret ourselves. ref:PUC-1118

Author: cardoe

components/keystone/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - secret-keystone-keys.yaml
   - keystone-mariadb-db.yaml
   - keystone-rabbitmq-queue.yaml
   - external-secret-keystone-sso.yaml

components/keystone/secret-keystone-keys.yaml

@@ -0,0 +1,17 @@
+# Explicitly define this secret as empty so that OpenStack Helm does not
+# create it for us because it will put helm hook annotations on the one
+# it generates. This causes the secret to get re-generated by subsequent
+# helm runs. Specifically ArgoCD cleans up anything with a helm hook
+# before applying the chart again. We do not want this to go away and
+# instead allow other jobs to update it so it should persist.
+# TODO: remove after https://review.opendev.org/c/openstack/openstack-helm/+/959251 is released.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-fernet-keys
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-credential-keys

components/keystone/values.yaml

@@ -306,6 +306,9 @@ manifests:
   secret_db: false
   secret_keystone: true
   service_ingress_api: false
+  # these next two we create ourselves to avoid helm hooks issues
+  secret_credential_keys: false
+  secret_fernet_keys: false
 
 annotations:
   # we need to modify the annotations on OpenStack Helm