[cinder] Split api in external and internal pods

We want to configure different rate-limits and policies for
inter-service communication compared to user communication. To make this
work, we need different cinder-api pods. Keystone's service-catalog
already supports having different endpoints for these purposes.

We spawn a cinder-api-external and a cinder-api-internal deployment each
with their own cinder-api-external/internal-ratelimit-redis, since the
rate-limit-middleware doesn't support re-using the same redis for
multiple apis and it allows us to deploy the redis next to the
cinder-api in the same cluster, if we want to.

Since most of the configuration/YAML is the same between the two
cinder-api pods, we define template function and provide the individual
configuration as parameters.

During the rollout, there will be a time where the new internal endpoint
is not yet synced into the Keystone catalogue. Therefore, we also keep
the old "cinder-api" Service alive, pointing to the cinder-api-external
Deployment as before.

It should be easy to extend this pattern with an "admin" API endpoint as
supported by Keystone's catalogue if we choose to use that in the
future.

This commit contains some restructuring, e.g. introducing new
cinder-api-external-etc and cinder-api-internal-etc ConfigMaps to hold
and template API configuration and switching to projected volume
mounting in the api Deployment for better readability and static config
during the runtime.

Author: joker-at-work

openstack/cinder/Chart.lock

@@ -20,11 +20,14 @@ dependencies:
 - name: redis
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 2.2.19
+- name: redis
+  repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
+  version: 2.2.19
 - name: owner-info
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 1.0.0
 - name: linkerd-support
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 1.1.1
-digest: sha256:4c25b977f75c6f0198aa9be9aabd7452328a1a589fb88cf2cea5ff1868b499c1
-generated: "2025-10-13T10:21:01.941018+03:00"
+digest: sha256:66e466fa523d0d69f7ada1880e2bf097a93a8e26b8011507dc1ea475a98b4243
+generated: "2025-10-23T10:19:58.090399364+02:00"

openstack/cinder/Chart.yaml

@@ -28,10 +28,15 @@ dependencies:
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 0.18.5
   - name: redis
-    alias: api-ratelimit-redis
+    alias: api-external-ratelimit-redis
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 2.2.19
-    condition: api_rate_limit.enabled
+    condition: api_external.rate_limit.enabled
+  - name: redis
+    alias: api-internal-ratelimit-redis
+    repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
+    version: 2.2.19
+    condition: api_internal.rate_limit.enabled
   - name: owner-info
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 1.0.0

openstack/cinder/ci/test-values.yaml

@@ -72,3 +72,8 @@ cors:
 utils:
   cors:
     allowed_origin: 'https://test.domain'
+
+api-external-ratelimit-redis:
+  redisPassword: "very-external"
+api-internal-ratelimit-redis:
+  redisPassword: "much-internal"

openstack/cinder/templates/_helpers.tpl

@@ -10,7 +10,7 @@
 {{- end }}
 
 {{- define "cinder.scheduler_service_dependencies" }}
-  {{- template "cinder.rabbitmq_service" . }},cinder-api
+  {{- template "cinder.rabbitmq_service" . }},cinder-api-external
 {{- end }}
 
 {{- define "cinder.db_service" }}

openstack/cinder/templates/api-deployment.yaml

@@ -1,8 +1,12 @@
+{{- define "cinder.api.deployment" -}}
+{{- $type := index . 1 -}}
+{{- $conf := index . 2 -}}
+{{- with index . 0 -}}
 kind: Deployment
 apiVersion: apps/v1
 
 metadata:
-  name: cinder-api
+  name: cinder-api-{{ $type }}
   labels:
     system: openstack
     type: api
@@ -11,7 +15,7 @@ metadata:
     secret.reloader.stakater.com/reload: "{{ .Release.Name }}-secrets"
     deployment.reloader.stakater.com/pause-period: "60s"
 spec:
-  replicas: {{ .Values.pod.replicas.api }}
+  replicas: {{ $conf.replicas }}
   revisionHistoryLimit: {{ .Values.pod.lifecycle.upgrades.deployments.revisionHistory }}
   strategy:
     type: {{ .Values.pod.lifecycle.upgrades.deployments.podReplacementStrategy }}
@@ -22,25 +26,25 @@ spec:
     {{ end }}
   selector:
     matchLabels:
-      name: cinder-api
+      name: cinder-api-{{ $type }}
   template:
     metadata:
       labels:
-        name: cinder-api
-        {{- tuple . "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | nindent 8 }}
+        name: cinder-api-{{ $type }}
+        {{- tuple . "cinder" (printf "api-%s" $type) | include "helm-toolkit.snippets.kubernetes_metadata_labels" | nindent 8 }}
         {{- include "utils.topology.pod_label" . | indent 8 }}
       annotations:
-        configmap-etc-hash: {{ include (print $.Template.BasePath "/etc-configmap.yaml") . | sha256sum }}
-        secrets-hash: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        configmap-etc-hash: {{ include (print .Template.BasePath "/etc-configmap.yaml") . | sha256sum }}
+        secrets-hash: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }}
         {{- if .Values.proxysql.mode }}
         prometheus.io/scrape: "true"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
         {{- end }}
         {{- include "utils.linkerd.pod_and_service_annotation" . | indent 8 }}
     spec:
-      {{- tuple . "cinder" "api" | include "kubernetes_pod_anti_affinity" | nindent 6 }}
+      {{- tuple . "cinder" (printf "api-%s" $type) | include "kubernetes_pod_anti_affinity" | nindent 6 }}
       {{- include "utils.proxysql.pod_settings" . | nindent 6 }}
-      {{- tuple . (dict "name" "cinder-api") | include "utils.topology.constraints" | indent 6 }}
+      {{- tuple . (dict "name" (printf "cinder-api-%s" $type)) | include "utils.topology.constraints" | indent 6 }}
       initContainers:
       {{- tuple . (dict "service" (include "cinder.service_dependencies" . ) "jobs" (include "cinder.migration_job_name" .)) | include "utils.snippets.kubernetes_entrypoint_init_container" | indent 6 }}
       {{- if .Values.proxysql.native_sidecar }}
@@ -51,7 +55,7 @@ spec:
           image: {{required ".Values.global.registry is missing" .Values.global.registry}}/loci-cinder:{{.Values.imageVersionCinderApi | default .Values.imageVersion | required "Please set cinder.imageVersion or similar" }}
           imagePullPolicy: {{ required ".Values.global.imagePullPolicy is missing" .Values.global.imagePullPolicy }}
           command:
-          {{- if .Values.api.use_uwsgi }}
+          {{- if $conf.use_uwsgi }}
             - uwsgi
             - --ini
             - /etc/cinder/api_uwsgi.ini
@@ -70,7 +74,7 @@ spec:
                 name: sentry
                 key: {{ .Chart.Name }}.DSN.python
           {{- end }}
-          {{- if .Values.api.use_uwsgi }}
+          {{- if $conf.use_uwsgi }}
           - name: OS_OSLO_MESSAGING_RABBIT__HEARTBEAT_IN_PTHREAD
             value: "true"
           {{- end }}
@@ -89,64 +93,16 @@ spec:
               port: cinder-api
             initialDelaySeconds: 15
             timeoutSeconds: 5
-          {{- if .Values.pod.resources.api }}
+          {{- if $conf.resources }}
           resources:
-{{ toYaml .Values.pod.resources.api | indent 12 }}
+            {{- toYaml $conf.resources | nindent 12 }}
           {{- end }}
           ports:
             - name: cinder-api
               containerPort: {{.Values.cinderApiPortInternal }}
           volumeMounts:
-            - name: etccinder
-              mountPath: /etc/cinder
-            - name: cinder-etc
-              mountPath: /etc/cinder/cinder.conf
-              subPath: cinder.conf
-              readOnly: true
-            - name: cinder-etc-confd
-              mountPath: /etc/cinder/cinder.conf.d
-            - name: cinder-etc
-              mountPath: /etc/cinder/api-paste.ini
-              subPath: api-paste.ini
-              readOnly: true
-           {{- if .Values.api.use_uwsgi }}
-            - mountPath: /etc/cinder/api_uwsgi.ini
-              name: cinder-etc
-              subPath: api_uwsgi.ini
-              readOnly: true
-           {{- end }}
-            - name: cinder-etc
-              mountPath: /etc/cinder/policy.yaml
-              subPath: policy.yaml
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/logging.ini
-              subPath: logging.ini
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/cinder_audit_map.yaml
-              subPath: cinder_audit_map.yaml
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/resource_filters.json
-              subPath: resource_filters.json
-              readOnly: true
-            {{- if .Values.api_rate_limit.enabled }}
-            - name: cinder-etc
-              mountPath: /etc/cinder/ratelimit.yaml
-              subPath: ratelimit.yaml
-              readOnly: true
-            - name: redis-ratelimit-secret
-              mountPath: /etc/cinder/ratelimit-backend-secret.conf
-              subPath: ratelimit-backend-secret.conf
-              readOnly: true
-            {{- end }}
-            {{- if .Values.watcher.enabled }}
             - name: cinder-etc
-              mountPath: /etc/cinder/watcher.yaml
-              subPath: watcher.yaml
-              readOnly: true
-            {{- end }}
+              mountPath: /etc/cinder
             {{- include "utils.proxysql.volume_mount" . | indent 12 }}
             {{- include "utils.coordination.volume_mount" . | indent 12 }}
         {{- if not .Values.proxysql.native_sidecar }}
@@ -163,27 +119,82 @@ spec:
             - name: metrics
               containerPort: {{ .Values.port_metrics }}
           volumeMounts:
-            - name: cinder-etc
-              mountPath: /etc/statsd/statsd-exporter.yaml
-              subPath: statsd-exporter.yaml
-              readOnly: true
-{{- include "jaeger_agent_sidecar" . | indent 8 }}
+          - name: statsd-etc
+            mountPath: /etc/statsd/statsd-exporter.yaml
+            subPath: statsd-exporter.yaml
+            readOnly: true
+        {{- include "jaeger_agent_sidecar" . | indent 8 }}
       volumes:
-        - name: etccinder
-          emptyDir: {}
-        - name: cinder-etc
-          configMap:
-            name: cinder-etc
-        - name: cinder-etc-confd
-          secret:
-            secretName: {{ .Release.Name }}-secrets
-        {{- include "utils.proxysql.volumes" . | indent 8 }}
-        {{- include "utils.coordination.volumes" . | indent 8 }}
-
-        {{- if .Values.api_rate_limit.enabled }}
-        - name: redis-ratelimit-secret
-          secret:
-            secretName: cinder-api-ratelimit-secret
-        {{- end }}
-
+      - name: cinder-etc
+        projected:
+          sources:
+          - configMap:
+              name: cinder-etc
+              items:
+              - key: cinder.conf
+                path: cinder.conf
+              - key: logging.ini
+                path: logging.ini
+          - secret:
+              name: {{ .Release.Name }}-secrets
+              items:
+              - key: secrets.conf
+                path: cinder.conf.d/secrets.conf
+          - configMap:
+              name: cinder-api-{{ $type }}-etc
+              items:
+              - key: cinder-api.conf
+                path: cinder-api.conf
+              - key: api-paste.ini
+                path: api-paste.ini
+              {{- if $conf.use_uwsgi }}
+              - key: api_uwsgi.ini
+                path: api_uwsgi.ini
+              {{- end }}
+              - key: policy.yaml
+                path: policy.yaml
+              - key: resource_filters.json
+                path: resource_filters.json
+              {{- if .Values.audit.enabled }}
+              - key: cinder_audit_map.yaml
+                path: cinder_audit_map.yaml
+              {{- end }}
+              {{- if .Values.watcher.enabled }}
+              - key: watcher.yaml
+                path: watcher.yaml
+              {{- end }}
+              {{- if $conf.rate_limit.enabled }}
+              - key: ratelimit.yaml
+                path: ratelimit.yaml
+              {{- end }}
+          {{- if $conf.rate_limit.enabled }}
+          - secret:
+              name: cinder-api-{{ $type }}-ratelimit-secret
+              items:
+              - key: ratelimit-backend-secret.conf
+                path: ratelimit-backend-secret.conf
+          {{- end }}
+      - name: statsd-etc
+        projected:
+          sources:
+          - configMap:
+              name: cinder-etc
+              items:
+              - key:  statsd-exporter.yaml
+                path: statsd-exporter.yaml
+      {{- include "utils.proxysql.volumes" . | indent 6 }}
+      {{- include "utils.coordination.volumes" . | indent 6 }}
+{{- end }}
+{{- end }}
 
+{{- include "cinder.api.deployment" (tuple . "external" (
+  dict "replicas" .Values.pod.replicas.api_external
+       "use_uwsgi" .Values.api_external.use_uwsgi
+       "resources" .Values.pod.resources.api_external
+       "rate_limit" .Values.api_external.rate_limit )) }}
+---
+{{ include "cinder.api.deployment" (tuple . "internal" (
+  dict "replicas" .Values.pod.replicas.api_internal
+       "use_uwsgi" .Values.api_internal.use_uwsgi
+       "resources" .Values.pod.resources.api_internal
+       "rate_limit" .Values.api_internal.rate_limit )) }}

openstack/cinder/templates/api-etc-configmap.yaml

@@ -0,0 +1,46 @@
+{{- define "cinder.api.etc-configmap" -}}
+{{- $type := index . 1 -}}
+{{- $conf := index . 2 -}}
+{{- with index . 0 -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cinder-api-{{ $type }}-etc
+  labels:
+    system: openstack
+    type: configuration
+    component: cinder
+
+data:
+  cinder-api.conf: |
+{{ include (print .Template.BasePath "/etc/_cinder-api.conf.tpl") (tuple . $conf) | indent 4 }}
+  api-paste.ini: |
+{{ include (print .Template.BasePath "/etc/_api-paste.ini.tpl") (tuple . $type $conf) | indent 4 }}
+{{- if $conf.use_uwsgi }}
+  api_uwsgi.ini: |
+{{ include (print .Template.BasePath "/etc/_api_uwsgi.ini.tpl") $conf | indent 4 }}
+{{- end }}
+  volume.filters: |
+{{ include (print .Template.BasePath "/etc/_volume.filters.tpl") . | indent 4 }}
+  policy.yaml: |
+{{ include (print .Template.BasePath "/etc/_cinder-policy.yaml.tpl") . | indent 4 }}
+  resource_filters.json: |
+{{ include (print .Template.BasePath "/etc/_resource_filters.json.tpl") . | indent 4 }}
+{{- if .Values.audit.enabled }}
+  cinder_audit_map.yaml: |
+{{ include (print .Template.BasePath "/etc/_cinder_audit_map.yaml.tpl") . | indent 4 }}
+{{- end }}
+{{- if $conf.rate_limit.enabled }}
+  ratelimit.yaml: |
+{{ include (print .Template.BasePath "/etc/_ratelimit.yaml.tpl") $conf | indent 4 }}
+{{- end }}
+{{- if .Values.watcher.enabled }}
+  watcher.yaml: |
+{{ include (print .Template.BasePath "/etc/_watcher.yaml.tpl") . | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- include "cinder.api.etc-configmap" (tuple . "external" .Values.api_external) }}
+---
+{{ include "cinder.api.etc-configmap" (tuple . "internal" .Values.api_internal) }}

openstack/cinder/templates/api-ingress.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 
 metadata:
-  name: cinder-api
+  name: cinder-api-external
   labels:
     system: openstack
     type: api
@@ -25,6 +25,6 @@ spec:
           pathType: Prefix
           backend:
             service:
-              name: cinder-api
+              name: cinder-api-external
               port:
                 number: {{.Values.cinderApiPortInternal}}