Add posibilities to specify metadata password selector per cell #809
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mrkisaolamb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
api/v1beta1/novametadata_types.go
Outdated
| // between nova and neutron ovn-metadata inside selected cell | ||
| // and if this is not defined the global metadata_proxy_shared_secret | ||
| // secret will be used | ||
| MetadataSecret string `json:"metadataSecret"` |
There was a problem hiding this comment.
This is a deviation from the existing pattern regarding how we get secret data from the user via the Nova CR. So far our interface was a single Nova.spec.secret field and a configurable password selector to select fields out of that secret. I think this patter can be extended without the need on on the user side to create a separate secret per cell to pass the metadata secret.
There could be a per celltemplate or per metadatatemplate password selector to configure which field from the nova.spec.secret should be used for the metadata service in the given cell. We can default that to empty or default it to the same value as the NovaSpec level password selector for the metadata secret "MetadataSecret" to implement that by default all metadata uses the same secret field.
Now metadata password can be specified per cell using global nova secret. Key should be value of PrefixMetadataCellsSecret + cellName eg. MetadataCellsSecretcell1. If there is no defined MetadataSecret for cell secret from MetadataSecret will be used
mrkisaolamb
force-pushed
the
metadata_per_cell
branch
from
d88d6b7
to
1751b73
Compare
Now metadata password can be specified per cell using MetadataTemplate. If there is no defined MetadataSecret secret from top nova secret is used
close #524