Add a cloud_config recipe

Using a cloud config file when accessing a cloud is the modern variant of setting lots of environment variables, so we add a new recipe that produces a cloud config matching what we are deploying. Clean up the old openrc template a bit. Change-Id: I8574d9f4299be5b2a374140b461ef48e9e80ae6b
2019-08-22 08:10:43 +00:00 · 2019-08-22 08:10:43 +00:00 · f2902385ef
commit f2902385ef
parent df72871ac8
7 changed files with 100 additions and 25 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -128,7 +128,7 @@ default['openstack']['identity']['conf']['credential']['key_repository'] =
  '/etc/keystone/credential-tokens'

 # configuration directory for keystone domain specific options
-default['openstack']['identity']['identity']['domain_config_dir'] = '/etc/keystone/domains'
+default['openstack']['identity']['domain_config_dir'] = '/etc/keystone/domains'

 # keystone service user name
 default['openstack']['identity']['user'] = 'keystone'
@ -160,15 +160,17 @@ end
 # array of bare options for openrc (e.g. 'option=value')
 default['openstack']['misc_openrc'] = nil

-# openrc path
-default['openstack']['openrc']['path'] = '/root'
-# openrc path mode
-default['openstack']['openrc']['path_mode'] = '0700'
+%w(openrc cloud_config).each do |file_type|
+  default['openstack']['identity'][file_type]['path'] = '/root'
+  default['openstack']['identity'][file_type]['path_mode'] = '0700'
+  default['openstack']['identity'][file_type]['file_mode'] = '0600'
+  default['openstack']['identity'][file_type]['user'] = 'root'
+  default['openstack']['identity'][file_type]['group'] = 'root'
+end
+
 # openrc file name
-default['openstack']['openrc']['file'] = 'openrc'
-# openrc file mode
-default['openstack']['openrc']['file_mode'] = '0600'
-# openrc file owner
-default['openstack']['openrc']['user'] = 'root'
-# openrc file group
-default['openstack']['openrc']['group'] = 'root'
+default['openstack']['identity']['openrc']['file'] = 'openrc'
+# cloud_config file name
+default['openstack']['identity']['cloud_config']['file'] = 'clouds.yaml'
+# cloud_config cloud name
+default['openstack']['identity']['cloud_config']['cloud_name'] = 'default'
--- a/recipes/cloud_config.rb
+++ b/recipes/cloud_config.rb
@ -0,0 +1,61 @@
+# encoding: UTF-8
+#
+# Cookbook Name:: openstack-identity
+# recipe:: cloud_config
+#
+# Copyright 2019 x-ion GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This recipe creates a fully usable cloud config file to be used directly
+# by the openstack client or sdk.
+
+class ::Chef::Recipe
+  include ::Openstack
+end
+
+ksadmin_project = node['openstack']['identity']['admin_project']
+project_domain_name = node['openstack']['identity']['admin_project_domain']
+ksadmin_user = node['openstack']['identity']['admin_user']
+admin_domain_name = node['openstack']['identity']['admin_domain_name']
+
+ksadmin_pass = get_password 'user', ksadmin_user
+
+identity_endpoint = public_endpoint 'identity'
+auth_url = ::URI.decode identity_endpoint.to_s
+
+cloud_config = node['openstack']['identity']['cloud_config']
+
+directory cloud_config['path'] do
+  owner cloud_config['user']
+  group cloud_config['group']
+  mode cloud_config['path_mode']
+  recursive true
+end
+
+template "#{cloud_config['path']}/#{cloud_config['file']}" do
+  source 'cloud_config.erb'
+  owner cloud_config['user']
+  group cloud_config['group']
+  mode cloud_config['file_mode']
+  sensitive true
+  variables(
+    cloud_name: cloud_config['cloud_name'],
+    user: ksadmin_user,
+    user_domain_name: admin_domain_name,
+    project: ksadmin_project,
+    project_domain_name: project_domain_name,
+    password: ksadmin_pass,
+    identity_endpoint: auth_url
+  )
+end
--- a/recipes/openrc.rb
+++ b/recipes/openrc.rb
@ -34,25 +34,26 @@ ksadmin_pass = get_password 'user', ksadmin_user
 identity_endpoint = public_endpoint 'identity'
 auth_url = ::URI.decode identity_endpoint.to_s

-directory node['openstack']['openrc']['path'] do
-  owner node['openstack']['openrc']['user']
-  group node['openstack']['openrc']['group']
-  mode node['openstack']['openrc']['path_mode']
+openrc_config = node['openstack']['identity']['openrc']
+
+directory openrc_config['path'] do
+  owner openrc_config['user']
+  group openrc_config['group']
+  mode openrc_config['path_mode']
  recursive true
 end

-template "#{node['openstack']['openrc']['path']}/#{node['openstack']['openrc']['file']}" do
+template "#{openrc_config['path']}/#{openrc_config['file']}" do
  source 'openrc.erb'
-  owner node['openstack']['openrc']['user']
-  group node['openstack']['openrc']['group']
-  mode node['openstack']['openrc']['file_mode']
+  owner openrc_config['user']
+  group openrc_config['group']
+  mode openrc_config['file_mode']
  sensitive true
  variables(
    user: ksadmin_user,
    user_domain_name: admin_domain_name,
    project: ksadmin_project,
    project_domain_name: project_domain_name,
-    api_version: '3',
    password: ksadmin_pass,
    identity_endpoint: auth_url
  )
--- a/recipes/server-apache.rb
+++ b/recipes/server-apache.rb
@ -117,11 +117,11 @@ directory '/etc/keystone' do
 end

 # create keystone domain config dir if needed
-directory node['openstack']['identity']['identity']['domain_config_dir'] do
+directory node['openstack']['identity']['domain_config_dir'] do
  owner keystone_user
  group keystone_group
  mode 0o0700
-  only_if { node['openstack']['identity']['identity']['domain_specific_drivers_enabled'] }
+  only_if { node['openstack']['identity']['domain_specific_drivers_enabled'] }
 end

 # delete the keystone.db sqlite file if another db backend is used
--- a/spec/server-apache_spec.rb
+++ b/spec/server-apache_spec.rb
@ -76,7 +76,7 @@ describe 'openstack-identity::server-apache' do
      end

      it 'creates /etc/keystone/domains when domain_specific_drivers_enabled enabled' do
-        node.override['openstack']['identity']['identity']['domain_specific_drivers_enabled'] = true
+        node.override['openstack']['identity']['domain_specific_drivers_enabled'] = true
        expect(chef_run).to create_directory(dir).with(
          user: 'keystone',
          group: 'keystone',
--- a/templates/default/cloud_config.erb
+++ b/templates/default/cloud_config.erb
@ -0,0 +1,11 @@
+clouds:
+  <%= @cloud_name %>:
+    auth:
+      username: <%= @user %>
+      user_domain_name: <%= @user_domain_name %>
+      password: <%= @password %>
+      project_name: <%= @project %>
+      project_domain_name: <%= @project_domain_name %>
+      auth_url: <%= @identity_endpoint %>
+    identity_api_version: 3
+    region_name: <%= node['openstack']['region'] %>
--- a/templates/default/openrc.erb
+++ b/templates/default/openrc.erb
@ -6,7 +6,7 @@ export OS_USER_DOMAIN_NAME=<%= @user_domain_name %>
 export OS_PASSWORD=<%= @password %>
 export OS_PROJECT_NAME=<%= @project %>
 export OS_PROJECT_DOMAIN_NAME=<%= @project_domain_name %>
-export OS_IDENTITY_API_VERSION=<%= @api_version %>
+export OS_IDENTITY_API_VERSION=3
 export OS_AUTH_URL=<%= @identity_endpoint %>
 export OS_REGION_NAME=<%= node['openstack']['region'] %>