feat(openstack): share service acct credentials via ESO #1235
+5,190
−39
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8e67f52 to
431b431
Compare
431b431 to
a9ba646
Compare
skrobul
approved these changes
Sep 11, 2025
The commit I just added makes it so we can get rid of part of it. |
d5a7979 to
6657a7d
Compare
|
Ah I should have kept the changes separate but I squashed them all in @skrobul. Sorry. But I think I've now addressed all your reviews. |
6657a7d to
c35ac8d
Compare
2718cbe to
e49857c
Compare
Utilize the External Secrets Operator to define the OpenStack service account credentials that OpenStack Helm needs to work with Keystone service accounts for the various OpenStack services. This allows one cluster to run Keystone and another to run the OpenStack services and to utilize the ESO operator to keep the credentials in sync between the two. Co-authored-by: Marek Skrobacki <[email protected]>
The change to mount these has not landed in all upstream charts and we've also not updated to the charts that have this change across the board. So for now include it in all of our configs until this change can make its way upstream.
fba2060 to
ba214e0
Compare
…scripts The --config-file flag is hardcoded in a number of scripts which results in preference to that file over the directories which is not the behavior we want since we want to override. However since the OpenStack Helm charts provide no way to change this behavior we need to replace the entire configmap-bin. This one is taken from two environments which were identical and then had the --config-dir flag added so that it continues to work.
ba214e0 to
ad14140
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Utilize the External Secrets Operator to define the OpenStack service account credentials that OpenStack Helm needs to work with Keystone service accounts for the various OpenStack services. This allows one cluster to run Keystone and another to run the OpenStack services and to utilize the ESO operator to keep the credentials in sync between the two.