feat: move OpenStack secrets to a helm values file

Move the loading of the OpenStack secrets into populating a values file
that can be supplied to the helm command. In theory now a user could
supply this file separately and use GitOps to install the OpenStack Helm
components.

components/10-keystone/README.md

@@ -48,14 +48,15 @@ Secrets Reference:
 - keystone-rabbitmq-password is the RabbitMQ password for the keystone user.
 
 ```bash
+# create secrets yaml file if you're not already storing or providing it differently
+./scripts/gen-os-secrets.sh secret-openstack.yaml
+
 helm --namespace openstack template \
     keystone \
     ./openstack-helm/keystone/ \
     -f components/openstack-2023.1-jammy.yaml \
     -f components/10-keystone/aio-values.yaml \
-    --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
+    -f secret-openstack.yaml \
     --post-renderer $(git rev-parse --show-toplevel)/scripts/openstack-helm-sealed-secrets.sh \
     | kubectl -n openstack apply -f -
 ```

components/13-ironic/README.md

@@ -45,15 +45,15 @@ Secrets Reference:
   is created by the ks-user job using the keystone-admin credential.
 
 ```bash
+# create secrets yaml file if you're not already storing or providing it differently
+./scripts/gen-os-secrets.sh secret-openstack.yaml
+
 helm --namespace openstack template \
     ironic \
     ./openstack-helm/ironic/ \
     -f components/openstack-2023.1-jammy.yaml \
     -f components/13-ironic/aio-values.yaml \
-    --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.oslo_db.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-db-password -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.oslo_messaging.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-keystone-password -o jsonpath='{.data.password}' | base64 -d)" \
+    -f secret-openstack.yaml \
     --post-renderer $(git rev-parse --show-toplevel)/scripts/openstack-helm-sealed-secrets.sh \
     | kubectl -n openstack apply -f -
 ```

components/openstack-secrets.tpl.yaml

@@ -0,0 +1,39 @@
+# The purpose of this file is to serve as a template for OpenStack Helm
+# based secrets values that are necessary for OpenStack Helm to populate
+# it's configmap-etc, which is really a secret with connection strings
+---
+
+endpoints:
+
+  # 'identity' endpoints are for keystone access
+  identity:
+    auth:
+      # this is the 'admin' user created in keystone by the initial start
+      # and used by the other services to create their service accounts
+      # and endpoint in the service catalog.
+      admin:
+        password: "${KEYSTONE_ADMIN_PASSWORD}"
+      # this user is the service account that ironic uses
+      ironic:
+        password: "${IRONIC_KEYSTONE_PASSWORD}"
+
+  # 'oslo_db' is for MariaDB
+  oslo_db:
+    auth:
+      # this is what the keystone service uses to connect to MariaDB
+      keystone:
+        password: "${KEYSTONE_DB_PASSWORD}"
+      # this is what the ironic service uses to connect to MariaDB
+      ironic:
+        password: "${IRONIC_DB_PASSWORD}"
+
+  # 'oslo_messaging' is for RabbitMQ
+  oslo_messaging:
+    auth:
+      # this is what the keystone service uses to connect to RabbitMQ
+      keystone:
+        password: "${KEYSTONE_RABBITMQ_PASSWORD}"
+      # this is what the ironic service uses to connect to RabbitMQ
+      ironic:
+        password: "${IRONIC_RABBITMQ_PASSWORD}"
+...

scripts/gen-os-secrets.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ $# -ne 1 ]; then
+    echo "$(basename "$0") <output-file>" >&2
+    exit 1
+fi
+
+set -o pipefail
+
+if ! type -p yq > /dev/null; then
+    echo "You must have yq installed to use this script" >&2
+    exit 1
+fi
+
+if ! type -p kubectl > /dev/null; then
+    echo "You must have kubectl installed to use this script" >&2
+    exit 1
+fi
+
+SCRIPTS_DIR="$(dirname "$0")"
+
+echo "This script will attempt to look up the existing values this repo used"
+echo "or will generate new values. The output below will be related to that."
+
+# keystone admin
+export KEYSTONE_ADMIN_PASSWORD=$(kubectl -n openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+# keystone mariadb
+export KEYSTONE_DB_PASSWORD=$(kubectl -n openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+# keystone rabbitmq
+export KEYSTONE_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+
+# ironic keystone service account
+export IRONIC_KEYSTONE_PASSWORD=$(kubectl -n openstack get secret ironic-keystone-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+# ironic mariadb
+export IRONIC_DB_PASSWORD=$(kubectl -n openstack get secret ironic-db-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+# ironic rabbitmq
+export IRONIC_RABBITMQ_PASSWORD=$(kubectl -n openstack get secret ironic-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d || "${SCRIPTS_DIR}/pwgen.sh")
+
+yq '(.. | select(tag == "!!str")) |= envsubst' \
+    "${SCRIPTS_DIR}/../components/openstack-secrets.tpl.yaml" \
+    > "$1"