Retrieve cloud credentials directly from keystone

In a cells deployment the credentials for the nova-compute
application will no longer be available via the
nova-cloud-controller in the local cell. This change adds the
scaffolding for a cell to utilise a new cloud-credentials relation
to allow it to retrieve credentials directly from keystone.

Change-Id: I9d1a7353d730f7cb8e93cc9eea5b788f7c956c3d
This commit is contained in:
Liam Young 2018-06-14 10:12:28 +00:00
parent f751b88746
commit 7effde7bee
8 changed files with 33 additions and 3 deletions

View File

@ -0,0 +1 @@
nova_compute_hooks.py

View File

@ -0,0 +1 @@
nova_compute_hooks.py

View File

@ -30,6 +30,7 @@ from charmhelpers.core.hookenv import (
Hooks, Hooks,
config, config,
is_relation_made, is_relation_made,
local_unit,
log, log,
relation_ids, relation_ids,
remote_service_name, remote_service_name,
@ -561,6 +562,18 @@ def storage_changed():
configure_local_ephemeral_storage() configure_local_ephemeral_storage()
@hooks.hook('cloud-credentials-relation-joined')
def cloud_credentials_joined():
svc_name = local_unit().split('/')[0].replace('-', '_')
relation_set(username=svc_name)
@hooks.hook('cloud-credentials-relation-changed')
@restart_on_change(restart_map())
def cloud_credentials_changed():
CONFIGS.write(NOVA_CONF)
@hooks.hook('update-status') @hooks.hook('update-status')
@harden() @harden()
def update_status(): def update_status():

View File

@ -175,7 +175,9 @@ BASE_RESOURCE_MAP = {
NovaComputeAvailabilityZoneContext(), NovaComputeAvailabilityZoneContext(),
context.WorkerConfigContext(), context.WorkerConfigContext(),
vaultlocker.VaultKVContext( vaultlocker.VaultKVContext(
vaultlocker.VAULTLOCKER_BACKEND)], vaultlocker.VAULTLOCKER_BACKEND),
context.IdentityCredentialsContext(
rel_name='cloud-credentials')],
}, },
NOVA_API_AA_PROFILE_PATH: { NOVA_API_AA_PROFILE_PATH: {
'services': ['nova-api'], 'services': ['nova-api'],

View File

@ -46,6 +46,8 @@ requires:
scope: container scope: container
ceph-access: ceph-access:
interface: cinder-ceph-key interface: cinder-ceph-key
cloud-credentials:
interface: keystone-credentials
secrets-storage: secrets-storage:
interface: vault-kv interface: vault-kv
peers: peers:

View File

@ -138,7 +138,7 @@ resume_guests_state_on_host_boot = {{ resume_guests_state_on_host_boot }}
{% if network_manager == 'neutron' and network_manager_config -%} {% if network_manager == 'neutron' and network_manager_config -%}
[neutron] [neutron]
url = {{ network_manager_config.neutron_url }} url = {{ network_manager_config.neutron_url }}
{% if network_manager_config.keystone_host -%} {% if network_manager_config.keystone_host or auth_host -%}
{% if neutron_plugin and neutron_plugin == 'vsp' -%} {% if neutron_plugin and neutron_plugin == 'vsp' -%}
ovs_bridge = alubr0 ovs_bridge = alubr0
{% endif -%} {% endif -%}

View File

@ -141,7 +141,7 @@ alias = {{ pci_alias }}
{% if network_manager == 'neutron' and network_manager_config -%} {% if network_manager == 'neutron' and network_manager_config -%}
[neutron] [neutron]
url = {{ network_manager_config.neutron_url }} url = {{ network_manager_config.neutron_url }}
{% if network_manager_config.keystone_host -%} {% if network_manager_config.keystone_host or auth_host -%}
{% if neutron_plugin and neutron_plugin == 'vsp' -%} {% if neutron_plugin and neutron_plugin == 'vsp' -%}
ovs_bridge = alubr0 ovs_bridge = alubr0
{% endif -%} {% endif -%}

View File

@ -38,6 +38,7 @@ TO_PATCH = [
# charmhelpers.core.hookenv # charmhelpers.core.hookenv
'Hooks', 'Hooks',
'config', 'config',
'local_unit',
'log', 'log',
'is_relation_made', 'is_relation_made',
'relation_get', 'relation_get',
@ -729,3 +730,13 @@ class NovaComputeRelationsTests(CharmTestCase):
self.relation_get.return_value = None self.relation_get.return_value = None
hooks.secrets_storage_changed() hooks.secrets_storage_changed()
self.configure_local_ephemeral_storage.assert_called_once_with() self.configure_local_ephemeral_storage.assert_called_once_with()
def test_cloud_credentials_joined(self):
self.local_unit.return_value = 'nova-compute-cell1/2'
hooks.cloud_credentials_joined()
self.relation_set.assert_called_with(username='nova_compute_cell1')
@patch.object(hooks, 'CONFIGS')
def test_cloud_credentials_changed(self, mock_CONFIGS):
hooks.cloud_credentials_changed()
mock_CONFIGS.write.assert_called_with('/etc/nova/nova.conf')