[Cinder] Split up cinder-api into external and internal

openstack/cinder/Chart.lock

@@ -20,11 +20,14 @@ dependencies:
 - name: redis
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 2.2.19
+- name: redis
+  repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
+  version: 2.2.19
 - name: owner-info
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 1.0.0
 - name: linkerd-support
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
   version: 1.1.1
-digest: sha256:4c25b977f75c6f0198aa9be9aabd7452328a1a589fb88cf2cea5ff1868b499c1
-generated: "2025-10-13T10:21:01.941018+03:00"
+digest: sha256:66e466fa523d0d69f7ada1880e2bf097a93a8e26b8011507dc1ea475a98b4243
+generated: "2025-10-23T10:19:58.090399364+02:00"

openstack/cinder/Chart.yaml

@@ -28,10 +28,15 @@ dependencies:
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 0.18.5
   - name: redis
-    alias: api-ratelimit-redis
+    alias: api-external-ratelimit-redis
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 2.2.19
-    condition: api_rate_limit.enabled
+    condition: api_external.rate_limit.enabled
+  - name: redis
+    alias: api-internal-ratelimit-redis
+    repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
+    version: 2.2.19
+    condition: api_internal.rate_limit.enabled
   - name: owner-info
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
     version: 1.0.0

openstack/cinder/ci/test-values.yaml

@@ -72,3 +72,8 @@ cors:
 utils:
   cors:
     allowed_origin: 'https://test.domain'
+
+api-external-ratelimit-redis:
+  redisPassword: "very-external"
+api-internal-ratelimit-redis:
+  redisPassword: "much-internal"

openstack/cinder/templates/_helpers.tpl

@@ -10,7 +10,7 @@
 {{- end }}
 
 {{- define "cinder.scheduler_service_dependencies" }}
-  {{- template "cinder.rabbitmq_service" . }},cinder-api
+  {{- template "cinder.rabbitmq_service" . }},cinder-api-external
 {{- end }}
 
 {{- define "cinder.db_service" }}

openstack/cinder/templates/api-deployment.yaml

@@ -1,8 +1,12 @@
+{{- define "cinder.api.deployment" -}}
+{{- $type := index . 1 -}}
+{{- $conf := index . 2 -}}
+{{- with index . 0 -}}
 kind: Deployment
 apiVersion: apps/v1
 
 metadata:
-  name: cinder-api
+  name: cinder-api-{{ $type }}
   labels:
     system: openstack
     type: api
@@ -11,7 +15,7 @@ metadata:
     secret.reloader.stakater.com/reload: "{{ .Release.Name }}-secrets"
     deployment.reloader.stakater.com/pause-period: "60s"
 spec:
-  replicas: {{ .Values.pod.replicas.api }}
+  replicas: {{ $conf.replicas }}
   revisionHistoryLimit: {{ .Values.pod.lifecycle.upgrades.deployments.revisionHistory }}
   strategy:
     type: {{ .Values.pod.lifecycle.upgrades.deployments.podReplacementStrategy }}
@@ -22,25 +26,25 @@ spec:
     {{ end }}
   selector:
     matchLabels:
-      name: cinder-api
+      name: cinder-api-{{ $type }}
   template:
     metadata:
       labels:
-        name: cinder-api
-        {{- tuple . "cinder" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | nindent 8 }}
+        name: cinder-api-{{ $type }}
+        {{- tuple . "cinder" (printf "api-%s" $type) | include "helm-toolkit.snippets.kubernetes_metadata_labels" | nindent 8 }}
         {{- include "utils.topology.pod_label" . | indent 8 }}
       annotations:
-        configmap-etc-hash: {{ include (print $.Template.BasePath "/etc-configmap.yaml") . | sha256sum }}
-        secrets-hash: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        configmap-etc-hash: {{ include (print .Template.BasePath "/etc-configmap.yaml") . | sha256sum }}
+        secrets-hash: {{ include (print .Template.BasePath "/secrets.yaml") . | sha256sum }}
         {{- if .Values.proxysql.mode }}
         prometheus.io/scrape: "true"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
         {{- end }}
         {{- include "utils.linkerd.pod_and_service_annotation" . | indent 8 }}
     spec:
-      {{- tuple . "cinder" "api" | include "kubernetes_pod_anti_affinity" | nindent 6 }}
+      {{- tuple . "cinder" (printf "api-%s" $type) | include "kubernetes_pod_anti_affinity" | nindent 6 }}
       {{- include "utils.proxysql.pod_settings" . | nindent 6 }}
-      {{- tuple . (dict "name" "cinder-api") | include "utils.topology.constraints" | indent 6 }}
+      {{- tuple . (dict "name" (printf "cinder-api-%s" $type)) | include "utils.topology.constraints" | indent 6 }}
       initContainers:
       {{- tuple . (dict "service" (include "cinder.service_dependencies" . ) "jobs" (include "cinder.migration_job_name" .)) | include "utils.snippets.kubernetes_entrypoint_init_container" | indent 6 }}
       {{- if .Values.proxysql.native_sidecar }}
@@ -51,7 +55,7 @@ spec:
           image: {{required ".Values.global.registry is missing" .Values.global.registry}}/loci-cinder:{{.Values.imageVersionCinderApi | default .Values.imageVersion | required "Please set cinder.imageVersion or similar" }}
           imagePullPolicy: {{ required ".Values.global.imagePullPolicy is missing" .Values.global.imagePullPolicy }}
           command:
-          {{- if .Values.api.use_uwsgi }}
+          {{- if $conf.use_uwsgi }}
             - uwsgi
             - --ini
             - /etc/cinder/api_uwsgi.ini
@@ -70,7 +74,7 @@ spec:
                 name: sentry
                 key: {{ .Chart.Name }}.DSN.python
           {{- end }}
-          {{- if .Values.api.use_uwsgi }}
+          {{- if $conf.use_uwsgi }}
           - name: OS_OSLO_MESSAGING_RABBIT__HEARTBEAT_IN_PTHREAD
             value: "true"
           {{- end }}
@@ -89,64 +93,16 @@ spec:
               port: cinder-api
             initialDelaySeconds: 15
             timeoutSeconds: 5
-          {{- if .Values.pod.resources.api }}
+          {{- if $conf.resources }}
           resources:
-{{ toYaml .Values.pod.resources.api | indent 12 }}
+            {{- toYaml $conf.resources | nindent 12 }}
           {{- end }}
           ports:
             - name: cinder-api
               containerPort: {{.Values.cinderApiPortInternal }}
           volumeMounts:
-            - name: etccinder
-              mountPath: /etc/cinder
-            - name: cinder-etc
-              mountPath: /etc/cinder/cinder.conf
-              subPath: cinder.conf
-              readOnly: true
-            - name: cinder-etc-confd
-              mountPath: /etc/cinder/cinder.conf.d
-            - name: cinder-etc
-              mountPath: /etc/cinder/api-paste.ini
-              subPath: api-paste.ini
-              readOnly: true
-           {{- if .Values.api.use_uwsgi }}
-            - mountPath: /etc/cinder/api_uwsgi.ini
-              name: cinder-etc
-              subPath: api_uwsgi.ini
-              readOnly: true
-           {{- end }}
-            - name: cinder-etc
-              mountPath: /etc/cinder/policy.yaml
-              subPath: policy.yaml
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/logging.ini
-              subPath: logging.ini
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/cinder_audit_map.yaml
-              subPath: cinder_audit_map.yaml
-              readOnly: true
-            - name: cinder-etc
-              mountPath: /etc/cinder/resource_filters.json
-              subPath: resource_filters.json
-              readOnly: true
-            {{- if .Values.api_rate_limit.enabled }}
-            - name: cinder-etc
-              mountPath: /etc/cinder/ratelimit.yaml
-              subPath: ratelimit.yaml
-              readOnly: true
-            - name: redis-ratelimit-secret
-              mountPath: /etc/cinder/ratelimit-backend-secret.conf
-              subPath: ratelimit-backend-secret.conf
-              readOnly: true
-            {{- end }}
-            {{- if .Values.watcher.enabled }}
             - name: cinder-etc
-              mountPath: /etc/cinder/watcher.yaml
-              subPath: watcher.yaml
-              readOnly: true
-            {{- end }}
+              mountPath: /etc/cinder
             {{- include "utils.proxysql.volume_mount" . | indent 12 }}
             {{- include "utils.coordination.volume_mount" . | indent 12 }}
         {{- if not .Values.proxysql.native_sidecar }}
@@ -163,27 +119,82 @@ spec:
             - name: metrics
               containerPort: {{ .Values.port_metrics }}
           volumeMounts:
-            - name: cinder-etc
-              mountPath: /etc/statsd/statsd-exporter.yaml
-              subPath: statsd-exporter.yaml
-              readOnly: true
-{{- include "jaeger_agent_sidecar" . | indent 8 }}
+          - name: statsd-etc
+            mountPath: /etc/statsd/statsd-exporter.yaml
+            subPath: statsd-exporter.yaml
+            readOnly: true
+        {{- include "jaeger_agent_sidecar" . | indent 8 }}
       volumes:
-        - name: etccinder
-          emptyDir: {}
-        - name: cinder-etc
-          configMap:
-            name: cinder-etc
-        - name: cinder-etc-confd
-          secret:
-            secretName: {{ .Release.Name }}-secrets
-        {{- include "utils.proxysql.volumes" . | indent 8 }}
-        {{- include "utils.coordination.volumes" . | indent 8 }}
-
-        {{- if .Values.api_rate_limit.enabled }}
-        - name: redis-ratelimit-secret
-          secret:
-            secretName: cinder-api-ratelimit-secret
-        {{- end }}
-
+      - name: cinder-etc
+        projected:
+          sources:
+          - configMap:
+              name: cinder-etc
+              items:
+              - key: cinder.conf
+                path: cinder.conf
+              - key: logging.ini
+                path: logging.ini
+          - secret:
+              name: {{ .Release.Name }}-secrets
+              items:
+              - key: secrets.conf
+                path: cinder.conf.d/secrets.conf
+          - configMap:
+              name: cinder-api-{{ $type }}-etc
+              items:
+              - key: cinder-api.conf
+                path: cinder-api.conf
+              - key: api-paste.ini
+                path: api-paste.ini
+              {{- if $conf.use_uwsgi }}
+              - key: api_uwsgi.ini
+                path: api_uwsgi.ini
+              {{- end }}
+              - key: policy.yaml
+                path: policy.yaml
+              - key: resource_filters.json
+                path: resource_filters.json
+              {{- if .Values.audit.enabled }}
+              - key: cinder_audit_map.yaml
+                path: cinder_audit_map.yaml
+              {{- end }}
+              {{- if .Values.watcher.enabled }}
+              - key: watcher.yaml
+                path: watcher.yaml
+              {{- end }}
+              {{- if $conf.rate_limit.enabled }}
+              - key: ratelimit.yaml
+                path: ratelimit.yaml
+              {{- end }}
+          {{- if $conf.rate_limit.enabled }}
+          - secret:
+              name: cinder-api-{{ $type }}-ratelimit-secret
+              items:
+              - key: ratelimit-backend-secret.conf
+                path: ratelimit-backend-secret.conf
+          {{- end }}
+      - name: statsd-etc
+        projected:
+          sources:
+          - configMap:
+              name: cinder-etc
+              items:
+              - key:  statsd-exporter.yaml
+                path: statsd-exporter.yaml
+      {{- include "utils.proxysql.volumes" . | indent 6 }}
+      {{- include "utils.coordination.volumes" . | indent 6 }}
+{{- end }}
+{{- end }}
 
+{{- include "cinder.api.deployment" (tuple . "external" (
+  dict "replicas" .Values.pod.replicas.api_external
+       "use_uwsgi" .Values.api_external.use_uwsgi
+       "resources" .Values.pod.resources.api_external
+       "rate_limit" .Values.api_external.rate_limit )) }}
+---
+{{ include "cinder.api.deployment" (tuple . "internal" (
+  dict "replicas" .Values.pod.replicas.api_internal
+       "use_uwsgi" .Values.api_internal.use_uwsgi
+       "resources" .Values.pod.resources.api_internal
+       "rate_limit" .Values.api_internal.rate_limit )) }}

openstack/cinder/templates/api-etc-configmap.yaml

@@ -0,0 +1,46 @@
+{{- define "cinder.api.etc-configmap" -}}
+{{- $type := index . 1 -}}
+{{- $conf := index . 2 -}}
+{{- with index . 0 -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cinder-api-{{ $type }}-etc
+  labels:
+    system: openstack
+    type: configuration
+    component: cinder
+
+data:
+  cinder-api.conf: |
+{{ include (print .Template.BasePath "/etc/_cinder-api.conf.tpl") (tuple . $conf) | indent 4 }}
+  api-paste.ini: |
+{{ include (print .Template.BasePath "/etc/_api-paste.ini.tpl") (tuple . $type $conf) | indent 4 }}
+{{- if $conf.use_uwsgi }}
+  api_uwsgi.ini: |
+{{ include (print .Template.BasePath "/etc/_api_uwsgi.ini.tpl") $conf | indent 4 }}
+{{- end }}
+  volume.filters: |
+{{ include (print .Template.BasePath "/etc/_volume.filters.tpl") . | indent 4 }}
+  policy.yaml: |
+{{ include (print .Template.BasePath "/etc/_cinder-policy.yaml.tpl") . | indent 4 }}
+  resource_filters.json: |
+{{ include (print .Template.BasePath "/etc/_resource_filters.json.tpl") . | indent 4 }}
+{{- if .Values.audit.enabled }}
+  cinder_audit_map.yaml: |
+{{ include (print .Template.BasePath "/etc/_cinder_audit_map.yaml.tpl") . | indent 4 }}
+{{- end }}
+{{- if $conf.rate_limit.enabled }}
+  ratelimit.yaml: |
+{{ include (print .Template.BasePath "/etc/_ratelimit.yaml.tpl") $conf | indent 4 }}
+{{- end }}
+{{- if .Values.watcher.enabled }}
+  watcher.yaml: |
+{{ include (print .Template.BasePath "/etc/_watcher.yaml.tpl") . | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- include "cinder.api.etc-configmap" (tuple . "external" .Values.api_external) }}
+---
+{{ include "cinder.api.etc-configmap" (tuple . "internal" .Values.api_internal) }}

openstack/cinder/templates/api-ingress.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 
 metadata:
-  name: cinder-api
+  name: cinder-api-external
   labels:
     system: openstack
     type: api
@@ -25,6 +25,6 @@ spec:
           pathType: Prefix
           backend:
             service:
-              name: cinder-api
+              name: cinder-api-external
               port:
                 number: {{.Values.cinderApiPortInternal}}