initial commit

Signed-off-by: Paul Hildebrandt <[email protected]>

.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: csp-helper-chart
+description: A Helm chart to deploy SCS cluster-api-provider-v2 per-tenant resources
+version: 0.2.0
+appVersion: "0.2.0"

README.md

@@ -0,0 +1,5 @@
+This chart can be used to create a new namespace and two secrets for the clusterstacks approach. It reads clouds.yaml files in its raw form either with username and password or with an application credential. The chart is intended to be used once per Openstack-Project/Tenant. It is meant to prepare one corresponding namespace in the cluster-API management cluster (1:1 relation between openstackproject and cluster-namespace). The recommended way to invoke the chart is:
+
+```
+helm upgrade -i <tenant>-credentials -n <tenant> --create-namespace https://github.com/SovereignCloudStack/cluster-stacks/releases/download/openstack-csp-helper-v0.2.0/openstack-csp-helper.tgz -f clouds.yaml
+```

templates/_helpers.tpl

@@ -0,0 +1,104 @@
+{{/*
+Checks whether we have a regular clouds.yaml or one with application credentials.
+*/}}
+
+{{- define "cloud_name" -}}
+{{- if ne
+    ( keys .Values.clouds | len )
+     1
+-}}
+{{ fail "please provide values.yaml/clouds.yaml with exactly one cloud beneath the \".clouds\" key." }}
+{{- end -}}
+{{ keys .Values.clouds | first }}
+{{- end }}
+
+{{- define "auth_auth_url" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "auth_url" }}
+{{- end }}
+
+{{- define "auth_username" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "username" }}
+{{- end }}
+
+{{- define "auth_password" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "password" }}
+{{- end }}
+
+{{- define "auth_project_id" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "project_id" }}
+{{- end }}
+
+{{- define "auth_project_name" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "project_name" }}
+{{- end }}
+
+{{- define "auth_user_domain_name" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "user_domain_name" }}
+{{- end }}
+
+{{- define "auth_application_credential_id" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "application_credential_id" }}
+{{- end }}
+
+{{- define "auth_application_credential_secret" -}}
+{{ get (get (get .Values.clouds (include "cloud_name" .)) "auth") "application_credential_secret" }}
+{{- end }}
+
+{{- define "region_name" -}}
+{{ get (get .Values.clouds (include "cloud_name" .)) "region_name"  }}
+{{- end }}
+
+{{- define "isAppCredential" -}}
+{{- if and 
+    ( include "auth_username" .) 
+    (not ( include "auth_application_credential_id" . ))
+-}}
+{{- else if and 
+    ( not ( include "auth_username" . )) 
+    ( include "auth_application_credential_id" . )
+-}}
+true
+{{- else }}
+{{ fail "please provide either username or application_credential_id, not both, not none" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Templates the cloud.conf as needed by the openstack CCM
+*/}}
+{{- define "cloud.conf" -}}
+[Global]
+auth-url={{ include "auth_auth_url" . }}
+region={{ include "region_name" . }}
+{{ if include "isAppCredential" . }}
+application-credential-id={{ include "auth_application_credential_id" . }}
+application-credential-secret={{ include "auth_application_credential_secret" . }}
+{{- else -}}
+username={{ include "auth_username" . }}
+password={{ include "auth_password" . }}
+user-domain-name={{ include "auth_user_domain_name" . }}
+tenant-id={{ include "auth_project_id" . }}
+{{ end }}
+
+[LoadBalancer]
+manage-security-groups=true
+use-octavia=true
+enable-ingress-hostname=true
+create-monitor=true
+{{- end }}
+
+
+
+{{/*
+Templates the secret that contains cloud.conf as needed by the openstack CCM
+*/}}
+{{- define "cloud-config" -}}
+apiVersion: v1
+data:
+  cloud.conf: {{ include "cloud.conf" . | b64enc }}
+kind: Secret
+metadata:
+  name: cloud-config
+  namespace: kube-system
+type: Opaque
+{{- end }}

templates/cloud-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cloud_name" . }} 
+data:
+  clouds.yaml: {{ toYaml .Values | b64enc }}
+type: Opaque

templates/cluster-resource-set.yaml

@@ -0,0 +1,12 @@
+apiVersion: addons.cluster.x-k8s.io/v1beta1
+kind: ClusterResourceSet
+metadata:
+  name: crs-{{ include "cloud_name" . }}-secret
+spec:
+  strategy: "Reconcile"
+  clusterSelector:
+    matchLabels:
+      managed-secret: cloud-config
+  resources:
+    - name: {{ include "cloud_name" . }}-workload-cluster-secret
+      kind: Secret

templates/openstack-workload-cluster-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  cloud-config-secret: {{ include "cloud-config" . | b64enc }}
+kind: Secret
+metadata:
+  name: {{ include "cloud_name" . }}-workload-cluster-secret
+type: addons.cluster.x-k8s.io/resource-set 

values.yaml

@@ -0,0 +1,34 @@
+# This chart is intended to be used directly with the clouds.yaml that is
+# produced by OpenStacks Horizon dashboard. You can directly use the clouds.yaml
+# as values file. This values-file here is intentionally left blank so there will be
+# no merged clutter when you provide yours.
+#
+# You can either use a clouds.yaml with username and password or one with application
+# credentials. Possible combinations are:
+#
+# Username/password
+# clouds:
+#   openstack:
+#     auth:
+#       auth_url: https://api.gx-scs.sovereignit.cloud:5000
+#       username: "u500924-mxmxc"
+#       password: "golden1337"
+#       project_id: e7622c1048ac4520a2d050ae1416b
+#       project_name: "p500924"
+#       user_domain_name: "d500924"
+#     region_name: "RegionOne"
+#     interface: "public"
+#     identity_api_version: 3
+#
+#
+# Application credentials:
+# clouds:
+#   openstack:
+#     auth:
+#       auth_url: https://keystone.services.a.regiocloud.tech
+#       application_credential_id: "a2202990c5454f42ae2d891fa00df1a3"
+#       application_credential_secret: ""
+#     region_name: "RegionA"
+#     interface: "public"
+#     identity_api_version: 3
+#     auth_type: "v3applicationcredential"