Browse Source

Enable custom keystone endpoint_type in templates

Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.

A new variable in trust section: trustee_keystone_interface which
default to public is introduced.

Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Kevin Lefevre 2 years ago
parent
commit
12a3cc01ca

+ 1
- 0
devstack/lib/magnum View File

@@ -208,6 +208,7 @@ function create_magnum_conf {
208 208
     iniset $MAGNUM_CONF trust trustee_domain_name magnum
209 209
     iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
210 210
     iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
211
+    iniset $MAGNUM_CONF trust trustee_keystone_interface public
211 212
     iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
212 213
 
213 214
     if is_service_enabled swift; then

+ 6
- 0
install-guide/source/common/configure_2_edit_magnum_conf.rst View File

@@ -76,11 +76,17 @@
76 76
         trustee_domain_name = magnum
77 77
         trustee_domain_admin_name = magnum_domain_admin
78 78
         trustee_domain_admin_password = DOMAIN_ADMIN_PASS
79
+        trustee_keystone_interface = KEYSTONE_INTERFACE
79 80
 
80 81
      Replace MAGNUM_PASS with the password you chose for the magnum user in the
81 82
      Identity service and DOMAIN_ADMIN_PASS with the password you chose for the
82 83
      ``magnum_domain_admin`` user.
83 84
 
85
+     Replace KEYSTONE_INTERFACE with either ``public`` or ``internal``
86
+     depending on your network configuration. If your instances cannot reach
87
+     internal keystone endpoint which is often the case in production
88
+     environments it should be set to ``public``. Default to ``public``
89
+
84 90
    * In the ``[oslo_messaging_notifications]`` section, configure the
85 91
      ``driver``:
86 92
 

+ 4
- 1
magnum/conf/trust.py View File

@@ -50,7 +50,10 @@ trust_opts = [
50 50
     cfg.ListOpt('roles',
51 51
                 default=[],
52 52
                 help=_('The roles which are delegated to the trustee '
53
-                       'by the trustor'))
53
+                       'by the trustor')),
54
+    cfg.StrOpt('trustee_keystone_interface',
55
+               default='public',
56
+               help=_('Auth interface used by instances/trustee'))
54 57
 ]
55 58
 
56 59
 

+ 0
- 2
magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh View File

@@ -55,8 +55,6 @@ auth_json=$(cat << EOF
55 55
 EOF
56 56
 )
57 57
 
58
-#trust is introduced in Keystone v3 version
59
-AUTH_URL=${AUTH_URL/v2.0/v3}
60 58
 content_type='Content-Type: application/json'
61 59
 url="$AUTH_URL/auth/tokens"
62 60
 USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

+ 0
- 2
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh View File

@@ -77,8 +77,6 @@ auth_json=$(cat << EOF
77 77
 EOF
78 78
 )
79 79
 
80
-#trust is introduced in Keystone v3 version
81
-AUTH_URL=${AUTH_URL/v2.0/v3}
82 80
 content_type='Content-Type: application/json'
83 81
 url="$AUTH_URL/auth/tokens"
84 82
 USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

+ 1
- 1
magnum/drivers/common/templates/swarm/fragments/make-cert.py View File

@@ -160,7 +160,7 @@ def get_user_token(config):
160 160
     }
161 161
     creds = creds_str % params
162 162
     headers = {'Content-Type': 'application/json'}
163
-    url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens'
163
+    url = config['AUTH_URL'] + '/auth/tokens'
164 164
     r = requests.post(url, headers=headers, data=creds)
165 165
     config['USER_TOKEN'] = r.headers['X-Subject-Token']
166 166
     return config

+ 4
- 1
magnum/drivers/heat/template_def.py View File

@@ -252,7 +252,10 @@ class BaseTemplateDefinition(TemplateDefinition):
252 252
         else:
253 253
             extra_params['trust_id'] = ""
254 254
 
255
-        extra_params['auth_url'] = context.auth_url
255
+        extra_params['auth_url'] = osc.url_for(
256
+            service_type='identity',
257
+            interface=CONF.trust.trustee_keystone_interface,
258
+            version=3)
256 259
 
257 260
         return super(BaseTemplateDefinition,
258 261
                      self).get_params(context, cluster_template, cluster,

+ 0
- 2
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml View File

@@ -68,8 +68,6 @@ write_files:
68 68
       }
69 69
       EOF
70 70
 
71
-      #trust is introduced in Keystone v3 version
72
-      AUTH_URL=${AUTH_URL/v2.0/v3}
73 71
       USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
74 72
                        $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
75 73
 

+ 0
- 2
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml View File

@@ -91,8 +91,6 @@ write_files:
91 91
       }
92 92
       EOF
93 93
 
94
-      #trust is introduced in Keystone v3 version
95
-      AUTH_URL=${AUTH_URL/v2.0/v3}
96 94
       USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
97 95
                        $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
98 96
 

+ 1
- 1
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py View File

@@ -79,13 +79,13 @@ class TestClusterConductorWithK8s(base.TestCase):
79 79
             'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
80 80
             'coe_version': 'fake-version',
81 81
         }
82
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
83 82
         self.context.user_name = 'fake_user'
84 83
         self.context.tenant = 'fake_tenant'
85 84
         osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
86 85
         self.mock_osc_class = osc_patcher.start()
87 86
         self.addCleanup(osc_patcher.stop)
88 87
         self.mock_osc = mock.MagicMock()
88
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
89 89
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
90 90
         self.mock_osc.cinder_region_name.return_value = 'RegionOne'
91 91
         self.mock_keystone = mock.MagicMock()

+ 1
- 1
magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py View File

@@ -67,7 +67,6 @@ class TestClusterConductorWithMesos(base.TestCase):
67 67
             'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
68 68
             'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
69 69
         }
70
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
71 70
         self.context.user_name = 'mesos_user'
72 71
         self.context.tenant = 'admin'
73 72
         self.context.domain_name = 'domainname'
@@ -80,6 +79,7 @@ class TestClusterConductorWithMesos(base.TestCase):
80 79
         self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
81 80
         self.mock_osc.keystone.return_value = self.mock_keystone
82 81
         self.mock_osc_class.return_value = self.mock_osc
82
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
83 83
 
84 84
     @patch('magnum.objects.ClusterTemplate.get_by_uuid')
85 85
     @patch('magnum.drivers.common.driver.Driver.get_driver')

+ 1
- 1
magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py View File

@@ -85,11 +85,11 @@ class TestClusterConductorWithSwarm(base.TestCase):
85 85
         self.addCleanup(osc_patcher.stop)
86 86
         self.mock_osc = mock.MagicMock()
87 87
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
88
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
88 89
         self.mock_keystone = mock.MagicMock()
89 90
         self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
90 91
         self.mock_osc.keystone.return_value = self.mock_keystone
91 92
         self.mock_osc_class.return_value = self.mock_osc
92
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
93 93
 
94 94
     @patch('requests.get')
95 95
     @patch('magnum.objects.ClusterTemplate.get_by_uuid')

+ 5
- 0
releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml View File

@@ -0,0 +1,5 @@
1
+---
2
+features:
3
+  - Keystone URL used by Cluster Templates instances to authenticate is now
4
+    configurable with the ``trustee_keystone_interface`` parameter
5
+    which default to ``public``.

Loading…
Cancel
Save