Merge pull request #1684 from rackerlabs/update-workflows

chore(workflows): remove old static secret and reduce volume duplication

Author: cardoe

ansible/roles/keystone_bootstrap/tasks/misc.yml

@@ -13,21 +13,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-- name: Create 'argoworkflow' user
-  openstack.cloud.identity_user:
-    name: argoworkflow
-    password: demo
-    domain: infra
-    state: present
-
-- name: Set 'argoworkflow' role
-  openstack.cloud.role_assignment:
-    domain: infra
-    user: argoworkflow
-    project: baremetal
-    role: admin
-    state: present
-
 - name: Create 'monitoring' user
   openstack.cloud.identity_user:
     name: monitoring

components/openstack/templates/secretstore-openstack.yaml.tpl

@@ -26,7 +26,6 @@ rules:
   - watch
   resourceNames:
   - baremetal-manage
-  - svc-acct-argoworkflow
   - svc-acct-netapp
   - cinder-netapp-config
   - admin-keystone-password

components/openstack/templates/svc-acct-argoworkflow.yaml.tpl

@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
   - eventbus/eventbus-default.yaml
   - eventbus/poddisruptionbudget-eventbus-default-pdb.yaml
-  - secrets/openstack-svc-acct.yaml
   - secrets/operate-workflow-sa.token.yaml
   - secrets/baremetal-manage.yaml
   - eventsources/nautobot-webhook.yaml

workflows/argo-events/kustomization.yaml

@@ -48,9 +48,12 @@ spec:
             value: understack
         volumeMounts:
           - mountPath: /etc/openstack
-            name: openstack-svc-acct
+            name: baremetal-manage
             readOnly: true
       volumes:
-        - name: openstack-svc-acct
+        - name: baremetal-manage
           secret:
-            secretName: openstack-svc-acct
+            secretName: baremetal-manage
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml

workflows/argo-events/secrets/openstack-svc-acct.yaml

@@ -10,6 +10,16 @@ kind: WorkflowTemplate
 spec:
   serviceAccountName: workflow
   entrypoint: main
+  volumes:
+    - name: bmc-master
+      secret:
+        secretName: bmc-master
+    - name: baremetal-manage
+      secret:
+        secretName: baremetal-manage
+        items:
+          - key: clouds.yaml
+            path: clouds.yaml
   arguments:
     parameters:
       - name: ip_address
@@ -104,16 +114,6 @@ spec:
           value: "{{workflow.name}}"
         - name: WF_UID
           value: "{{workflow.uid}}"
-      volumes:
-        - name: bmc-master
-          secret:
-            secretName: bmc-master
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: openstack-wait-cmd
       inputs:
         parameters:
@@ -136,13 +136,6 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: get-raid-config
       container:
         image: ghcr.io/rackerlabs/understack/ironic-nautobot-client:latest
@@ -165,16 +158,6 @@ spec:
           value: "{{workflow.name}}"
         - name: WF_UID
           value: "{{workflow.uid}}"
-      volumes:
-        - name: bmc-master
-          secret:
-            secretName: bmc-master
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: openstack-set-baremetal-node-raid-config
       inputs:
         parameters:
@@ -214,13 +197,6 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: openstack-state-cmd
       inputs:
         parameters:
@@ -244,10 +220,3 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml

workflows/argo-events/workflowtemplates/alert-automation-neutron-agent-down.yaml

@@ -10,6 +10,13 @@ kind: WorkflowTemplate
 spec:
   serviceAccountName: workflow
   entrypoint: inspect-server
+  volumes:
+    - name: baremetal-manage
+      secret:
+        secretName: baremetal-manage
+        items:
+          - key: clouds.yaml
+            path: clouds.yaml
   arguments:
     parameters:
       - name: node
@@ -226,13 +233,6 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: openstack-set-cmd
       inputs:
         parameters:
@@ -257,13 +257,6 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml
     - name: openstack-read-param
       inputs:
         parameters:
@@ -289,10 +282,3 @@ spec:
         volumeMounts:
           - mountPath: /etc/openstack
             name: baremetal-manage
-      volumes:
-        - name: baremetal-manage
-          secret:
-            secretName: baremetal-manage
-            items:
-              - key: clouds.yaml
-                path: clouds.yaml

workflows/argo-events/workflowtemplates/enroll-server.yaml

@@ -40,12 +40,15 @@ spec:
             name: nb-token
             readOnly: true
           - mountPath: /etc/openstack
-            name: openstack-svc-acct
+            name: baremetal-manage
             readOnly: true
       volumes:
         - name: nb-token
           secret:
             secretName: nautobot-token
-        - name: openstack-svc-acct
+        - name: baremetal-manage
           secret:
-            secretName: openstack-svc-acct
+            secretName: baremetal-manage
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml

workflows/argo-events/workflowtemplates/inspect-server.yaml

@@ -52,12 +52,15 @@ spec:
             name: nb-token
             readOnly: true
           - mountPath: /etc/openstack
-            name: openstack-svc-acct
+            name: baremetal-manage
             readOnly: true
       volumes:
         - name: nb-token
           secret:
             secretName: nautobot-token
-        - name: openstack-svc-acct
+        - name: baremetal-manage
           secret:
-            secretName: openstack-svc-acct
+            secretName: baremetal-manage
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml