Retrieve cloud credentials directly from keystone

In a cells deployment the credentials for the nova-compute
application will no longer be available via the
nova-cloud-controller in the local cell. This change adds the
scaffolding for a cell to utilise a new cloud-credentials relation
to allow it to retrieve credentials directly from keystone.

Change-Id: I9d1a7353d730f7cb8e93cc9eea5b788f7c956c3d

hooks/cloud-credentials-relation-changed

@@ -0,0 +1 @@
+nova_compute_hooks.py

hooks/cloud-credentials-relation-joined

@@ -0,0 +1 @@
+nova_compute_hooks.py

hooks/nova_compute_hooks.py

@@ -30,6 +30,7 @@ from charmhelpers.core.hookenv import (
     Hooks,
     config,
     is_relation_made,
+    local_unit,
     log,
     relation_ids,
     remote_service_name,
@@ -561,6 +562,18 @@ def storage_changed():
     configure_local_ephemeral_storage()
 
 
+@hooks.hook('cloud-credentials-relation-joined')
+def cloud_credentials_joined():
+    svc_name = local_unit().split('/')[0].replace('-', '_')
+    relation_set(username=svc_name)
+
+
+@hooks.hook('cloud-credentials-relation-changed')
+@restart_on_change(restart_map())
+def cloud_credentials_changed():
+    CONFIGS.write(NOVA_CONF)
+
+
 @hooks.hook('update-status')
 @harden()
 def update_status():

hooks/nova_compute_utils.py

@@ -175,7 +175,9 @@ BASE_RESOURCE_MAP = {
                      NovaComputeAvailabilityZoneContext(),
                      context.WorkerConfigContext(),
                      vaultlocker.VaultKVContext(
-                         vaultlocker.VAULTLOCKER_BACKEND)],
+                         vaultlocker.VAULTLOCKER_BACKEND),
+                     context.IdentityCredentialsContext(
+                         rel_name='cloud-credentials')],
     },
     NOVA_API_AA_PROFILE_PATH: {
         'services': ['nova-api'],

metadata.yaml

@@ -46,6 +46,8 @@ requires:
     scope: container
   ceph-access:
     interface: cinder-ceph-key
+  cloud-credentials:
+    interface: keystone-credentials
   secrets-storage:
     interface: vault-kv
 peers:

templates/ocata/nova.conf

@@ -138,7 +138,7 @@ resume_guests_state_on_host_boot = {{ resume_guests_state_on_host_boot }}
 {% if network_manager == 'neutron' and network_manager_config -%}
 [neutron]
 url = {{ network_manager_config.neutron_url }}
-{% if network_manager_config.keystone_host -%}
+{% if network_manager_config.keystone_host or auth_host -%}
 {% if neutron_plugin and neutron_plugin == 'vsp' -%}
 ovs_bridge = alubr0
 {% endif -%}

templates/pike/nova.conf

@@ -141,7 +141,7 @@ alias = {{ pci_alias }}
 {% if network_manager == 'neutron' and network_manager_config -%}
 [neutron]
 url = {{ network_manager_config.neutron_url }}
-{% if network_manager_config.keystone_host -%}
+{% if network_manager_config.keystone_host or auth_host -%}
 {% if neutron_plugin and neutron_plugin == 'vsp' -%}
 ovs_bridge = alubr0
 {% endif -%}

unit_tests/test_nova_compute_hooks.py

@@ -38,6 +38,7 @@ TO_PATCH = [
     # charmhelpers.core.hookenv
     'Hooks',
     'config',
+    'local_unit',
     'log',
     'is_relation_made',
     'relation_get',
@@ -729,3 +730,13 @@ class NovaComputeRelationsTests(CharmTestCase):
         self.relation_get.return_value = None
         hooks.secrets_storage_changed()
         self.configure_local_ephemeral_storage.assert_called_once_with()
+
+    def test_cloud_credentials_joined(self):
+        self.local_unit.return_value = 'nova-compute-cell1/2'
+        hooks.cloud_credentials_joined()
+        self.relation_set.assert_called_with(username='nova_compute_cell1')
+
+    @patch.object(hooks, 'CONFIGS')
+    def test_cloud_credentials_changed(self, mock_CONFIGS):
+        hooks.cloud_credentials_changed()
+        mock_CONFIGS.write.assert_called_with('/etc/nova/nova.conf')