feat: remove OpenStack DB secrets

Since we're now using the MariaDB operator to generate the DB
connection, we don't need to have this generated by OpenStack Helm. So
that means we don't need to inject the passwords in via plain text since
OpenStack Helm does not support passing secrets by reference. Instead we
are using the db connection snippet of the prior commit.

Keystone and Placement currently do not support mounting the DB
connection snippet for the db_sync job currently so we must wait until
that is fixed upstream and we bump to a new enough version.

Placement fix: https://review.opendev.org/c/openstack/openstack-helm/+/942131

Author: cardoe

components/openstack-secrets.tpl.yaml

@@ -40,43 +40,6 @@ endpoints:
       # this is used for encrypting / protecting the memcache tokens
       memcache_secret_key: "${MEMCACHE_SECRET_KEY}"
 
-  # 'oslo_db' is for MariaDB
-  oslo_db:
-    auth:
-      # this is what the keystone service uses to connect to MariaDB
-      keystone:
-        password: "${KEYSTONE_DB_PASSWORD}"
-      # this is what the glance service uses to connect to MariaDB
-      glance:
-        password: "${GLANCE_DB_PASSWORD}"
-      # this is what the ironic service uses to connect to MariaDB
-      ironic:
-        password: "${IRONIC_DB_PASSWORD}"
-      # this is what the neutron service uses to connect to MariaDB
-      neutron:
-        password: "${NEUTRON_DB_PASSWORD}"
-      # this is what the nova service uses to connect to MariaDB
-      nova:
-        password: "${NOVA_DB_PASSWORD}"
-      # this is what the placement service uses to connect to MariaDB
-      placement:
-        password: "${PLACEMENT_DB_PASSWORD}"
-      # this is what the horizon dashboard service uses to connect to MariaDB
-      horizon:
-        password: "${HORIZON_DB_PASSWORD}"
-
-  # 'oslo_db_api' is for MariaDB specific for nova
-  oslo_db_api:
-    auth:
-      nova:
-        password: "${NOVA_DB_PASSWORD}"
-
-  # 'oslo_db_cell0' is for MariaDB specific for nova
-  oslo_db_cell0:
-    auth:
-      nova:
-        password: "${NOVA_DB_PASSWORD}"
-
   # 'oslo_messaging' is for RabbitMQ
   oslo_messaging:
     auth:

scripts/gitops-secrets-gen.sh

@@ -320,26 +320,23 @@ for component in keystone ironic placement neutron nova glance; do
 
     # environment variable names
     VARNAME_RABBITMQ_PASSWORD="$(convert_to_var_name "${component}" "RABBITMQ_PASSWORD")"
-    VARNAME_DB_PASSWORD="$(convert_to_var_name "${component}" "DB_PASSWORD")"
     VARNAME_KEYSTONE_PASSWORD="$(convert_to_var_name "${keystone_user}" "KEYSTONE_PASSWORD")"
 
     # k8s secret names
     SECRET_RABBITMQ_PASSWORD="$(convert_to_secret_name "${VARNAME_RABBITMQ_PASSWORD}")"
-    SECRET_DB_PASSWORD="$(convert_to_secret_name "${VARNAME_DB_PASSWORD}")"
     SECRET_KEYSTONE_PASSWORD="$(convert_to_secret_name "${VARNAME_KEYSTONE_PASSWORD}")"
 
     # attempt to load the existing secrets from the cluster and use those
     # otherwise generate the passwords and set the variable names
     load_or_gen_os_secret "${VARNAME_RABBITMQ_PASSWORD}" "${SECRET_RABBITMQ_PASSWORD}" && \
         create_os_secret "RABBITMQ_PASSWORD" "${component}" "${component}"
-    load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \
+    [ ! -f "${DEST_DIR}/${component}/secret-db-password.yaml" ] && \
         create_os_secret "DB_PASSWORD" "${component}" "${component}"
     load_or_gen_os_secret "${VARNAME_KEYSTONE_PASSWORD}" "${SECRET_KEYSTONE_PASSWORD}" && \
         create_os_secret "KEYSTONE_PASSWORD" "${component}" "${keystone_user}"
 
     # export the variables for templating the openstack secret
     export "${VARNAME_RABBITMQ_PASSWORD?}"
-    export "${VARNAME_DB_PASSWORD?}"
     export "${VARNAME_KEYSTONE_PASSWORD?}"
 
 done
@@ -348,12 +345,8 @@ echo "Checking horizon"
 # horizon credentials
 mkdir -p "${DEST_DIR}/horizon"
 # horizon user password for database
-VARNAME_DB_PASSWORD="HORIZON_DB_PASSWORD"
-SECRET_DB_PASSWORD="horizon-db-password"
-load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \
+[ ! -f "${DEST_DIR}/horizon/secret-db-password.yaml" ] && \
     create_os_secret "DB_PASSWORD" "horizon" "horizon"
-# export the variable for templating into the openstack secret / values.yaml
-export HORIZON_DB_PASSWORD
 
 # generate the secret-openstack.yaml file every time from our secrets data
 # this is a helm values.yaml but it contains secrets because of the lack