Enable custom keystone endpoint_type in templates

Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.

A new variable in trust section: trustee_keystone_interface which
default to public is introduced.

Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
This commit is contained in:
Kevin Lefevre 2017-04-10 16:36:21 +02:00 committed by ArchiFleKs
parent 1881152217
commit 12a3cc01ca
13 changed files with 24 additions and 14 deletions

View File

@ -208,6 +208,7 @@ function create_magnum_conf {
iniset $MAGNUM_CONF trust trustee_domain_name magnum
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
iniset $MAGNUM_CONF trust trustee_keystone_interface public
iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
if is_service_enabled swift; then

View File

@ -76,11 +76,17 @@
trustee_domain_name = magnum
trustee_domain_admin_name = magnum_domain_admin
trustee_domain_admin_password = DOMAIN_ADMIN_PASS
trustee_keystone_interface = KEYSTONE_INTERFACE
Replace MAGNUM_PASS with the password you chose for the magnum user in the
Identity service and DOMAIN_ADMIN_PASS with the password you chose for the
``magnum_domain_admin`` user.
Replace KEYSTONE_INTERFACE with either ``public`` or ``internal``
depending on your network configuration. If your instances cannot reach
internal keystone endpoint which is often the case in production
environments it should be set to ``public``. Default to ``public``
* In the ``[oslo_messaging_notifications]`` section, configure the
``driver``:

View File

@ -50,7 +50,10 @@ trust_opts = [
cfg.ListOpt('roles',
default=[],
help=_('The roles which are delegated to the trustee '
'by the trustor'))
'by the trustor')),
cfg.StrOpt('trustee_keystone_interface',
default='public',
help=_('Auth interface used by instances/trustee'))
]

View File

@ -55,8 +55,6 @@ auth_json=$(cat << EOF
EOF
)
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

View File

@ -77,8 +77,6 @@ auth_json=$(cat << EOF
EOF
)
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

View File

@ -160,7 +160,7 @@ def get_user_token(config):
}
creds = creds_str % params
headers = {'Content-Type': 'application/json'}
url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens'
url = config['AUTH_URL'] + '/auth/tokens'
r = requests.post(url, headers=headers, data=creds)
config['USER_TOKEN'] = r.headers['X-Subject-Token']
return config

View File

@ -252,7 +252,10 @@ class BaseTemplateDefinition(TemplateDefinition):
else:
extra_params['trust_id'] = ""
extra_params['auth_url'] = context.auth_url
extra_params['auth_url'] = osc.url_for(
service_type='identity',
interface=CONF.trust.trustee_keystone_interface,
version=3)
return super(BaseTemplateDefinition,
self).get_params(context, cluster_template, cluster,

View File

@ -68,8 +68,6 @@ write_files:
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

View File

@ -91,8 +91,6 @@ write_files:
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

View File

@ -79,13 +79,13 @@ class TestClusterConductorWithK8s(base.TestCase):
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
'coe_version': 'fake-version',
}
self.context.auth_url = 'http://192.168.10.10:5000/v3'
self.context.user_name = 'fake_user'
self.context.tenant = 'fake_tenant'
osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
self.mock_osc_class = osc_patcher.start()
self.addCleanup(osc_patcher.stop)
self.mock_osc = mock.MagicMock()
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
self.mock_osc.cinder_region_name.return_value = 'RegionOne'
self.mock_keystone = mock.MagicMock()

View File

@ -67,7 +67,6 @@ class TestClusterConductorWithMesos(base.TestCase):
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
}
self.context.auth_url = 'http://192.168.10.10:5000/v3'
self.context.user_name = 'mesos_user'
self.context.tenant = 'admin'
self.context.domain_name = 'domainname'
@ -80,6 +79,7 @@ class TestClusterConductorWithMesos(base.TestCase):
self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
self.mock_osc.keystone.return_value = self.mock_keystone
self.mock_osc_class.return_value = self.mock_osc
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
@patch('magnum.objects.ClusterTemplate.get_by_uuid')
@patch('magnum.drivers.common.driver.Driver.get_driver')

View File

@ -85,11 +85,11 @@ class TestClusterConductorWithSwarm(base.TestCase):
self.addCleanup(osc_patcher.stop)
self.mock_osc = mock.MagicMock()
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
self.mock_keystone = mock.MagicMock()
self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
self.mock_osc.keystone.return_value = self.mock_keystone
self.mock_osc_class.return_value = self.mock_osc
self.context.auth_url = 'http://192.168.10.10:5000/v3'
@patch('requests.get')
@patch('magnum.objects.ClusterTemplate.get_by_uuid')

View File

@ -0,0 +1,5 @@
---
features:
- Keystone URL used by Cluster Templates instances to authenticate is now
configurable with the ``trustee_keystone_interface`` parameter
which default to ``public``.