Add posibilities to specify metadata password selector per cell

Now metadata password can be specified per cell using
MetadataTemplate. If there is no defined MetadataSecret
secret from top nova secret is used

api/bases/nova.openstack.org_nova.yaml

@@ -528,6 +528,14 @@ spec:
                             state until the manually create NovaMetadata CR is deleted
                             manually.
                           type: boolean
+                        metadataSecret:
+                          description: Secret is the name of the Secret instance containing
+                            metadata_proxy_shared_secret information for the nova-metadata
+                            service. This secret is shared between nova and neutron
+                            ovn-metadata inside selected cell and if this is not defined
+                            the global metadata_proxy_shared_secret secret will be
+                            used
+                          type: string
                         networkAttachments:
                           description: NetworkAttachments is a list of NetworkAttachment
                             resource names to expose the services to the given network
@@ -1296,6 +1304,13 @@ spec:
                       error state until the manually create NovaMetadata CR is deleted
                       manually.
                     type: boolean
+                  metadataSecret:
+                    description: Secret is the name of the Secret instance containing
+                      metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

api/bases/nova.openstack.org_novacells.yaml

@@ -212,6 +212,13 @@ spec:
                       error state until the manually create NovaMetadata CR is deleted
                       manually.
                     type: boolean
+                  metadataSecret:
+                    description: Secret is the name of the Secret instance containing
+                      metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

api/v1beta1/novametadata_types.go

@@ -84,6 +84,14 @@ type NovaMetadataTemplate struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// TLS - Parameters related to the TLS
 	TLS tls.SimpleService `json:"tls,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Secret is the name of the Secret instance containing metadata_proxy_shared_secret
+	// information for the nova-metadata service. This secret is shared
+	// between nova and neutron ovn-metadata inside selected cell
+	// and if this is not defined the global metadata_proxy_shared_secret
+	// secret will be used
+	MetadataSecret string `json:"metadataSecret"`
 }
 
 // MetadataOverrideSpec to override the generated manifest of several child resources.

config/crd/bases/nova.openstack.org_nova.yaml

@@ -528,6 +528,14 @@ spec:
                             state until the manually create NovaMetadata CR is deleted
                             manually.
                           type: boolean
+                        metadataSecret:
+                          description: Secret is the name of the Secret instance containing
+                            metadata_proxy_shared_secret information for the nova-metadata
+                            service. This secret is shared between nova and neutron
+                            ovn-metadata inside selected cell and if this is not defined
+                            the global metadata_proxy_shared_secret secret will be
+                            used
+                          type: string
                         networkAttachments:
                           description: NetworkAttachments is a list of NetworkAttachment
                             resource names to expose the services to the given network
@@ -1296,6 +1304,13 @@ spec:
                       error state until the manually create NovaMetadata CR is deleted
                       manually.
                     type: boolean
+                  metadataSecret:
+                    description: Secret is the name of the Secret instance containing
+                      metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

config/crd/bases/nova.openstack.org_novacells.yaml

@@ -212,6 +212,13 @@ spec:
                       error state until the manually create NovaMetadata CR is deleted
                       manually.
                     type: boolean
+                  metadataSecret:
+                    description: Secret is the name of the Secret instance containing
+                      metadata_proxy_shared_secret information for the nova-metadata
+                      service. This secret is shared between nova and neutron ovn-metadata
+                      inside selected cell and if this is not defined the global metadata_proxy_shared_secret
+                      secret will be used
+                    type: string
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

controllers/nova_controller.go

@@ -1647,7 +1647,26 @@ func (r *NovaReconciler) ensureCellSecret(
 	// If metadata is enabled in the cell then the cell secret needs the
 	// metadata shared secret
 	if *cellTemplate.MetadataServiceTemplate.Enabled {
-		data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret])
+		if *&cellTemplate.MetadataServiceTemplate.MetadataSecret != "" {
+			expectedSelectors := []string{
+				instance.Spec.PasswordSelectors.MetadataSecret,
+			}
+
+			_, _, metadataSecret, err := ensureSecret(
+				ctx,
+				types.NamespacedName{Namespace: instance.Namespace, Name: cellTemplate.MetadataServiceTemplate.MetadataSecret},
+				expectedSelectors,
+				h.GetClient(),
+				&instance.Status.Conditions,
+				r.RequeueTimeout,
+			)
+			if err != nil {
+				return "", err
+			}
+			data[MetadataSecretSelector] = string(metadataSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret])
+		} else {
+			data[MetadataSecretSelector] = string(externalSecret.Data[instance.Spec.PasswordSelectors.MetadataSecret])
+		}
 	}
 
 	// NOTE(gibi): When we switch to immutable secrets then we need to include

test/functional/nova_multicell_test.go

@@ -849,6 +849,18 @@ var _ = Describe("Nova multi cell", func() {
 			DeferCleanup(mariadb.DeleteDBService, mariadb.CreateDBService(cell0.MariaDBDatabaseName.Namespace, cell0.MariaDBDatabaseName.Name, serviceSpec))
 			DeferCleanup(mariadb.DeleteDBService, mariadb.CreateDBService(cell1.MariaDBDatabaseName.Namespace, cell1.MariaDBDatabaseName.Name, serviceSpec))
 
+			secretMap := map[string][]byte{
+				"MetadataSecret": []byte("metadata-secret-cell1"),
+			}
+			cell1Metadata := types.NamespacedName{
+				Namespace: novaNames.NovaName.Namespace,
+				Name:      novaNames.NovaName.Name + "-" + cell1.CellName + "-metadata",
+			}
+			secretMetadataCell1 := th.CreateSecret(
+				cell1Metadata,
+				secretMap,
+			)
+			DeferCleanup(k8sClient.Delete, ctx, secretMetadataCell1)
 			spec := GetDefaultNovaSpec()
 			cell0Template := GetDefaultNovaCellTemplate()
 			cell0Template["cellDatabaseInstance"] = cell0.MariaDBDatabaseName.Name
@@ -859,7 +871,8 @@ var _ = Describe("Nova multi cell", func() {
 			cell1Template["cellDatabaseAccount"] = cell1.MariaDBAccountName.Name
 			cell1Template["cellMessageBusInstance"] = cell1.TransportURLName.Name
 			cell1Template["metadataServiceTemplate"] = map[string]interface{}{
-				"enabled": true,
+				"enabled":        true,
+				"metadataSecret": secretMetadataCell1.Name,
 			}
 
 			spec["cellTemplates"] = map[string]interface{}{
@@ -935,10 +948,12 @@ var _ = Describe("Nova multi cell", func() {
 
 			cell1Secret := th.GetSecret(cell1.InternalCellSecretName)
 			Expect(cell1Secret.Data).To(
-				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret")))
+				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1")))
 			cell0Secret := th.GetSecret(cell0.InternalCellSecretName)
 			Expect(cell0Secret.Data).NotTo(
 				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret")))
+			Expect(cell0Secret.Data).NotTo(
+				HaveKeyWithValue(controllers.MetadataSecretSelector, []byte("metadata-secret-cell1")))
 		})
 	})
 })