[NSX-T] prepare service user management via vcenter operator

sven-rosenzweig · sven-rosenzweig · commit 375b069edc83 · 2025-11-10T16:05:56.000+01:00
diff --git a/openstack/neutron/templates/vct-nsxv3-agent-deployment.yaml b/openstack/neutron/templates/vct-nsxv3-agent-deployment.yaml
@@ -8,6 +8,9 @@ options:
   jinja2_options:
     variable_start_string: '{='
     variable_end_string: '=}'
+    {{- if .Values.nsxv3_managed_service_users }}
+    uses-service-user: nsxt
+    {{- end }}
 template: |
   apiVersion: apps/v1
   kind: Deployment
@@ -20,6 +23,13 @@ template: |
       vcenter: {= host =}
       datacenter: {= availability_zone =}
       vccluster: {= cluster_name =}
+      {{- if .Values.nsxv3_managed_service_users }}
+      vcenter-operator-secret-version: {= service_user_version | quote =}
+      {{- end }}
+    {{- if .Values.nsxv3_managed_service_users }}
+    annotations:
+      uses-service-user: nsxt
+    {{- end }}
   spec:
     replicas: 1
     revisionHistoryLimit: 5
diff --git a/openstack/neutron/templates/vct-nsxv3-agent-secret.yaml b/openstack/neutron/templates/vct-nsxv3-agent-secret.yaml
@@ -8,6 +8,9 @@ options:
   jinja2_options:
     variable_start_string: '{='
     variable_end_string: '=}'
+    {{- if .Values.nsxv3_managed_service_users }}
+    uses-service-user: nsxt
+    {{- end }}
 template: |
   {%- set bb = name | replace( "bb", "") | int %}
   {%- set hostname = "nsx-ctl-" + "bb" + ( '%03d' % bb ) + "." + domain %}
@@ -22,13 +25,30 @@ template: |
       vcenter: {= host =}
       datacenter: {= availability_zone =}
       vccluster: {= cluster_name =}
+      {{- if .Values.nsxv3_managed_service_users }}
+      vcenter-operator-secret-version: {= service_user_version | quote =}
+      {{- end }}
+    {{- if .Values.nsxv3_managed_service_users }}
+    annotations:
+      uses-service-user: nsxt
+    {{- end }}
   data:
+    {{- if .Values.nsxv3_managed_service_users }}
+    NSXV3_LOGIN_USER: {% filter b64enc %}{= username =}{%- endfilter %}
+    NSXV3_LOGIN_PASSWORD: {% filter b64enc %}{= password =}{%- endfilter %}
+    {{- else }}
     NSXV3_LOGIN_USER: {% filter b64enc %}osapinsxt{%- endfilter %}
     NSXV3_LOGIN_PASSWORD: {% filter b64enc %}{= "{{ .Values.nsxv3_pw_user }}" | derive_password(hostname) =}{%- endfilter %}
+    {{- end }}
     neutron-nsxv3-secrets.conf:{= " " =}
   {%- filter b64enc %}
   [NSXV3]
+  {{- if .Values.nsxv3_managed_service_users }}
+  nsxv3_login_user = {= username =}
+  nsxv3_login_password = {= password =}
+  {{- else }}
   nsxv3_login_user = osapinsxt
   nsxv3_login_password = {= "{{ .Values.nsxv3_pw_user }}" | derive_password(hostname) | quote =}
+  {{- end }}
   {%- endfilter %}
 {{ end }}
diff --git a/openstack/neutron/values.yaml b/openstack/neutron/values.yaml
@@ -332,6 +332,7 @@ drivers:
         nsxv3_transport_zone_id_cache_time: 86400
 
 nsxv3_pw_user: m3apiuser0
+nsxv3_managed_service_users: false
 
 #ToDo - Remove this migrated to the new sentry logger
 logging:
