feat: use mariadb operator for OpenStack db secrets

Generate and inject the database connection info via a secret generated
by the MariaDB operator to create a connection string that matches what
oslo.config reads.

Unfortunately OpenStack Helm doesn't always respect the mount for the
db_sync job so this won't work until that's fixed upstream and we bump
to releases with those fixes for all the services.

Author: cardoe

components/glance/glance-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: glance-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: glance
+  passwordSecretKeyRef:
+    name: glance-db-password
+    key: password
+  database: glance
+  secretName: glance-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/glance/values.yaml

@@ -89,6 +89,38 @@ pod:
             periodSeconds: 10
             timeoutSeconds: 8
             failureThreshold: 6
+  mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    glance_api:
+      glance_api:
+        volumeMounts:
+          - mountPath: /etc/glance/glance.conf.d/db_conn.conf
+            name: glance-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: glance-db-conn
+            secret:
+              secretName: glance-db-conn
+    glance_db_sync:
+      glance_db_sync:
+        volumeMounts:
+          - mountPath: /etc/glance/glance.conf.d/db_conn.conf
+            name: glance-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: glance-db-conn
+            secret:
+              secretName: glance-db-conn
 
 conf:
   glance_api_uwsgi:

components/horizon/horizon-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: horizon-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: horizon
+  passwordSecretKeyRef:
+    name: horizon-db-password
+    key: password
+  database: horizon
+  secretName: horizon-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/horizon/values.yaml

@@ -76,6 +76,38 @@ pod:
         # this should be set to no more than (pod.replicas.horizon - 1)
         # usually set on per-deployment basis.
         min_available: 0
+  mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    horizon:
+      horizon:
+        volumeMounts:
+          - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf
+            name: horizon-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: horizon-db-conn
+            secret:
+              secretName: horizon-db-conn
+    horizon_db_sync:
+      horizon_db_sync:
+        volumeMounts:
+          - mountPath: /etc/horizon/horizon.conf.d/db_conn.conf
+            name: horizon-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: horizon-db-conn
+            secret:
+              secretName: horizon-db-conn
 
 # We don't want to enable OpenStack Helm's
 # helm.sh/hooks because they set them as

components/ironic/ironic-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: ironic-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: ironic
+  passwordSecretKeyRef:
+    name: ironic-db-password
+    key: password
+  database: ironic
+  secretName: ironic-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/ironic/values.yaml

@@ -163,16 +163,54 @@ manifests:
 
 pod:
   mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
+    ironic_api:
+      ironic_api:
+        volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
+    ironic_db_sync:
+      ironic_db_sync:
+        volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
     ironic_conductor:
       ironic_conductor:
         volumeMounts:
+          - mountPath: /etc/ironic/ironic.conf.d/db_conn.conf
+            name: ironic-db-conn
+            subPath: db_conf.conf
+            readOnly: true
           - name: dnsmasq-ironic
             mountPath: /etc/dnsmasq.d/
           - name: dnsmasq-dhcp
             mountPath: /var/lib/dnsmasq/
           - name: understack-data
             mountPath: /var/lib/understack
         volumes:
+          - name: ironic-db-conn
+            secret:
+              secretName: ironic-db-conn
           - name: dnsmasq-ironic
             persistentVolumeClaim:
               claimName: dnsmasq-ironic

components/keystone/keystone-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: keystone-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: keystone
+  passwordSecretKeyRef:
+    name: keystone-db-password
+    key: password
+  database: keystone
+  secretName: keystone-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/neutron/neutron-mariadb-db.yaml

@@ -50,3 +50,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: neutron-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: neutron
+  passwordSecretKeyRef:
+    name: neutron-db-password
+    key: password
+  database: neutron
+  secretName: neutron-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb

components/neutron/values.yaml

@@ -92,18 +92,22 @@ pod:
         # usually set on per-deployment basis.
         min_available: 0
   mounts:
+    # oslo.config autoloads certain paths in alphabetical order
+    # which gives us the opportunity to inject secrets and extra
+    # configs here. likely the best paths are:
+    # /etc/${project}/${prog}.conf.d/*.conf
+    # /etc/${project}/${project}.conf.d/*.conf
+    # the first would be best for per service separation but since each
+    # service is in its own pod they won't overlap. further more there
+    # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
+    # so we'll use the bottom one
     neutron_server:
       neutron_server:
         volumeMounts:
-          # oslo.config autoloads certain paths in alphabetical order
-          # which gives us the opportunity to inject secrets and extra
-          # configs here. likely the best paths are:
-          # /etc/${project}/${prog}.conf.d/*.conf
-          # /etc/${project}/${project}.conf.d/*.conf
-          # the first would be best for per service separation but since each
-          # service is in its own pod they won't overlap. further more there
-          # is an issue with that see https://bugs.launchpad.net/oslo.config/+bug/2098514
-          # so we'll use the bottom one
+          - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf
+            name: neutron-db-conn
+            subPath: db_conf.conf
+            readOnly: true
           - mountPath: /etc/neutron/neutron.conf.d/ml2_understack.conf
             name: neutron-nautobot
             subPath: ml2_understack.conf
@@ -112,12 +116,38 @@ pod:
             name: undersync-token
             readOnly: true
         volumes:
+          - name: neutron-db-conn
+            secret:
+              secretName: neutron-db-conn
           - name: neutron-nautobot
             secret:
               secretName: neutron-nautobot
           - name: undersync-token
             secret:
               secretName: undersync-token
+    neutron_ironic_agent:
+      neutron_ironic_agent:
+        volumeMounts:
+          - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf
+            name: neutron-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: neutron-db-conn
+            secret:
+              secretName: neutron-db-conn
+    neutron_db_sync:
+      neutron_db_sync:
+        volumeMounts:
+          - mountPath: /etc/neutron/neutron.conf.d/db_conn.conf
+            name: neutron-db-conn
+            subPath: db_conf.conf
+            readOnly: true
+        volumes:
+          - name: neutron-db-conn
+            secret:
+              secretName: neutron-db-conn
+
 # (nicholas.kuechler) updating the jobs list to remove the 'neutron-rabbit-init' job.
 dependencies:
   dynamic:

components/nova/nova-api-mariadb-db.yaml

@@ -30,3 +30,26 @@ spec:
   grantOption: true
   host: "%"
   retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Connection
+metadata:
+  name: nova-api-db-conn
+spec:
+  mariaDbRef:
+    name: mariadb
+  username: nova
+  passwordSecretKeyRef:
+    name: nova-db-password
+    key: password
+  database: nova_api
+  secretName: nova-api-db-conn
+  secretTemplate:
+    key: db_conn.conf
+    format: |
+      [api_database]
+      connection = mysql+pymysql://{{ .Username }}:{{ .Password }}@{{ .Host }}:{{ .Port }}/{{ .Database }}{{ .Params }}
+  healthCheck:
+    interval: 30s
+    retryInterval: 3s
+  serviceName: mariadb