diff --git a/attributes/default.rb b/attributes/default.rb index 4306b0b..95cab8c 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -128,7 +128,7 @@ default['openstack']['identity']['conf']['credential']['key_repository'] = '/etc/keystone/credential-tokens' # configuration directory for keystone domain specific options -default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains' +default['openstack']['identity']['domain_config_dir'] = '/etc/keystone/domains' # keystone service user name default['openstack']['identity']['user'] = 'keystone' @@ -160,15 +160,17 @@ end # array of bare options for openrc (e.g. 'option=value') default['openstack']['misc_openrc'] = nil -# openrc path -default['openstack']['openrc']['path'] = '/root' -# openrc path mode -default['openstack']['openrc']['path_mode'] = '0700' +%w(openrc cloud_config).each do |file_type| + default['openstack']['identity'][file_type]['path'] = '/root' + default['openstack']['identity'][file_type]['path_mode'] = '0700' + default['openstack']['identity'][file_type]['file_mode'] = '0600' + default['openstack']['identity'][file_type]['user'] = 'root' + default['openstack']['identity'][file_type]['group'] = 'root' +end + # openrc file name -default['openstack']['openrc']['file'] = 'openrc' -# openrc file mode -default['openstack']['openrc']['file_mode'] = '0600' -# openrc file owner -default['openstack']['openrc']['user'] = 'root' -# openrc file group -default['openstack']['openrc']['group'] = 'root' +default['openstack']['identity']['openrc']['file'] = 'openrc' +# cloud_config file name +default['openstack']['identity']['cloud_config']['file'] = 'clouds.yaml' +# cloud_config cloud name +default['openstack']['identity']['cloud_config']['cloud_name'] = 'default' diff --git a/recipes/cloud_config.rb b/recipes/cloud_config.rb new file mode 100644 index 0000000..09c9cc0 --- /dev/null +++ b/recipes/cloud_config.rb @@ -0,0 +1,61 @@ +# encoding: UTF-8 +# +# Cookbook Name:: openstack-identity +# recipe:: cloud_config +# +# Copyright 2019 x-ion GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This recipe creates a fully usable cloud config file to be used directly +# by the openstack client or sdk. + +class ::Chef::Recipe + include ::Openstack +end + +ksadmin_project = node['openstack']['identity']['admin_project'] +project_domain_name = node['openstack']['identity']['admin_project_domain'] +ksadmin_user = node['openstack']['identity']['admin_user'] +admin_domain_name = node['openstack']['identity']['admin_domain_name'] + +ksadmin_pass = get_password 'user', ksadmin_user + +identity_endpoint = public_endpoint 'identity' +auth_url = ::URI.decode identity_endpoint.to_s + +cloud_config = node['openstack']['identity']['cloud_config'] + +directory cloud_config['path'] do + owner cloud_config['user'] + group cloud_config['group'] + mode cloud_config['path_mode'] + recursive true +end + +template "#{cloud_config['path']}/#{cloud_config['file']}" do + source 'cloud_config.erb' + owner cloud_config['user'] + group cloud_config['group'] + mode cloud_config['file_mode'] + sensitive true + variables( + cloud_name: cloud_config['cloud_name'], + user: ksadmin_user, + user_domain_name: admin_domain_name, + project: ksadmin_project, + project_domain_name: project_domain_name, + password: ksadmin_pass, + identity_endpoint: auth_url + ) +end diff --git a/recipes/openrc.rb b/recipes/openrc.rb index 886391c..214acee 100644 --- a/recipes/openrc.rb +++ b/recipes/openrc.rb @@ -34,25 +34,26 @@ ksadmin_pass = get_password 'user', ksadmin_user identity_endpoint = public_endpoint 'identity' auth_url = ::URI.decode identity_endpoint.to_s -directory node['openstack']['openrc']['path'] do - owner node['openstack']['openrc']['user'] - group node['openstack']['openrc']['group'] - mode node['openstack']['openrc']['path_mode'] +openrc_config = node['openstack']['identity']['openrc'] + +directory openrc_config['path'] do + owner openrc_config['user'] + group openrc_config['group'] + mode openrc_config['path_mode'] recursive true end -template "#{node['openstack']['openrc']['path']}/#{node['openstack']['openrc']['file']}" do +template "#{openrc_config['path']}/#{openrc_config['file']}" do source 'openrc.erb' - owner node['openstack']['openrc']['user'] - group node['openstack']['openrc']['group'] - mode node['openstack']['openrc']['file_mode'] + owner openrc_config['user'] + group openrc_config['group'] + mode openrc_config['file_mode'] sensitive true variables( user: ksadmin_user, user_domain_name: admin_domain_name, project: ksadmin_project, project_domain_name: project_domain_name, - api_version: '3', password: ksadmin_pass, identity_endpoint: auth_url ) diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index f356b70..7960b65 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -117,11 +117,11 @@ directory '/etc/keystone' do end # create keystone domain config dir if needed -directory node['openstack']['identity']['identity']['domain_config_dir'] do +directory node['openstack']['identity']['domain_config_dir'] do owner keystone_user group keystone_group mode 0o0700 - only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] } + only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] } end # delete the keystone.db sqlite file if another db backend is used diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index ce5a5d1..c662889 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -76,7 +76,7 @@ describe 'openstack-identity::server-apache' do end it 'creates /etc/keystone/domains when domain_specific_drivers_enabled enabled' do - node.override['openstack']['identity']['identity']['domain_specific_drivers_enabled'] = true + node.override['openstack']['identity']['domain_specific_drivers_enabled'] = true expect(chef_run).to create_directory(dir).with( user: 'keystone', group: 'keystone', diff --git a/templates/default/cloud_config.erb b/templates/default/cloud_config.erb new file mode 100644 index 0000000..29f4041 --- /dev/null +++ b/templates/default/cloud_config.erb @@ -0,0 +1,11 @@ +clouds: + <%= @cloud_name %>: + auth: + username: <%= @user %> + user_domain_name: <%= @user_domain_name %> + password: <%= @password %> + project_name: <%= @project %> + project_domain_name: <%= @project_domain_name %> + auth_url: <%= @identity_endpoint %> + identity_api_version: 3 + region_name: <%= node['openstack']['region'] %> diff --git a/templates/default/openrc.erb b/templates/default/openrc.erb index 2c1ee37..d54cb82 100644 --- a/templates/default/openrc.erb +++ b/templates/default/openrc.erb @@ -6,7 +6,7 @@ export OS_USER_DOMAIN_NAME=<%= @user_domain_name %> export OS_PASSWORD=<%= @password %> export OS_PROJECT_NAME=<%= @project %> export OS_PROJECT_DOMAIN_NAME=<%= @project_domain_name %> -export OS_IDENTITY_API_VERSION=<%= @api_version %> +export OS_IDENTITY_API_VERSION=3 export OS_AUTH_URL=<%= @identity_endpoint %> export OS_REGION_NAME=<%= node['openstack']['region'] %>