Enable custom keystone endpoint_type in templates

Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.

A new variable in trust section: trustee_keystone_interface which
default to public is introduced.

Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
This commit is contained in:
Kevin Lefevre 2017-04-10 16:36:21 +02:00 committed by ArchiFleKs
parent a3817530b6
commit 4c241a683f
12 changed files with 19 additions and 14 deletions

View File

@ -208,6 +208,7 @@ function create_magnum_conf {
iniset $MAGNUM_CONF trust trustee_domain_name magnum iniset $MAGNUM_CONF trust trustee_domain_name magnum
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
iniset $MAGNUM_CONF trust trustee_keystone_interface public
iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
if is_service_enabled swift; then if is_service_enabled swift; then

View File

@ -76,11 +76,17 @@
trustee_domain_name = magnum trustee_domain_name = magnum
trustee_domain_admin_name = magnum_domain_admin trustee_domain_admin_name = magnum_domain_admin
trustee_domain_admin_password = DOMAIN_ADMIN_PASS trustee_domain_admin_password = DOMAIN_ADMIN_PASS
trustee_keystone_interface = KEYSTONE_INTERFACE
Replace MAGNUM_PASS with the password you chose for the magnum user in the Replace MAGNUM_PASS with the password you chose for the magnum user in the
Identity service and DOMAIN_ADMIN_PASS with the password you chose for the Identity service and DOMAIN_ADMIN_PASS with the password you chose for the
``magnum_domain_admin`` user. ``magnum_domain_admin`` user.
Replace KEYSTONE_INTERFACE with either ``public`` or ``internal``
depending on your network configuration. If your instances cannot reach
internal keystone endpoint which is often the case in production
environments it should be set to ``public``. Default to ``public``
* In the ``[oslo_messaging_notifications]`` section, configure the * In the ``[oslo_messaging_notifications]`` section, configure the
``driver``: ``driver``:

View File

@ -50,7 +50,10 @@ trust_opts = [
cfg.ListOpt('roles', cfg.ListOpt('roles',
default=[], default=[],
help=_('The roles which are delegated to the trustee ' help=_('The roles which are delegated to the trustee '
'by the trustor')) 'by the trustor')),
cfg.StrOpt('trustee_keystone_interface',
default='public',
help=_('Auth interface used by instances/trustee'))
] ]

View File

@ -55,8 +55,6 @@ auth_json=$(cat << EOF
EOF EOF
) )
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
content_type='Content-Type: application/json' content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens" url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

View File

@ -81,8 +81,6 @@ auth_json=$(cat << EOF
EOF EOF
) )
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
content_type='Content-Type: application/json' content_type='Content-Type: application/json'
url="$AUTH_URL/auth/tokens" url="$AUTH_URL/auth/tokens"
USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \

View File

@ -160,7 +160,7 @@ def get_user_token(config):
} }
creds = creds_str % params creds = creds_str % params
headers = {'Content-Type': 'application/json'} headers = {'Content-Type': 'application/json'}
url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens' url = config['AUTH_URL'] + '/auth/tokens'
r = requests.post(url, headers=headers, data=creds) r = requests.post(url, headers=headers, data=creds)
config['USER_TOKEN'] = r.headers['X-Subject-Token'] config['USER_TOKEN'] = r.headers['X-Subject-Token']
return config return config

View File

@ -251,7 +251,10 @@ class BaseTemplateDefinition(TemplateDefinition):
else: else:
extra_params['trust_id'] = "" extra_params['trust_id'] = ""
extra_params['auth_url'] = context.auth_url extra_params['auth_url'] = osc.url_for(
service_type='identity',
interface=CONF.trust.trustee_keystone_interface,
version=3)
return super(BaseTemplateDefinition, return super(BaseTemplateDefinition,
self).get_params(context, cluster_template, cluster, self).get_params(context, cluster_template, cluster,

View File

@ -68,8 +68,6 @@ write_files:
} }
EOF EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

View File

@ -99,8 +99,6 @@ write_files:
} }
EOF EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`

View File

@ -81,13 +81,13 @@ class TestClusterConductorWithK8s(base.TestCase):
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
'coe_version': 'fake-version', 'coe_version': 'fake-version',
} }
self.context.auth_url = 'http://192.168.10.10:5000/v3'
self.context.user_name = 'fake_user' self.context.user_name = 'fake_user'
self.context.tenant = 'fake_tenant' self.context.tenant = 'fake_tenant'
osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
self.mock_osc_class = osc_patcher.start() self.mock_osc_class = osc_patcher.start()
self.addCleanup(osc_patcher.stop) self.addCleanup(osc_patcher.stop)
self.mock_osc = mock.MagicMock() self.mock_osc = mock.MagicMock()
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1' self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
self.mock_osc.cinder_region_name.return_value = 'RegionOne' self.mock_osc.cinder_region_name.return_value = 'RegionOne'
self.mock_keystone = mock.MagicMock() self.mock_keystone = mock.MagicMock()

View File

@ -67,7 +67,6 @@ class TestClusterConductorWithMesos(base.TestCase):
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
} }
self.context.auth_url = 'http://192.168.10.10:5000/v3'
self.context.user_name = 'mesos_user' self.context.user_name = 'mesos_user'
self.context.tenant = 'admin' self.context.tenant = 'admin'
self.context.domain_name = 'domainname' self.context.domain_name = 'domainname'
@ -80,6 +79,7 @@ class TestClusterConductorWithMesos(base.TestCase):
self.mock_keystone.trustee_domain_id = 'trustee_domain_id' self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
self.mock_osc.keystone.return_value = self.mock_keystone self.mock_osc.keystone.return_value = self.mock_keystone
self.mock_osc_class.return_value = self.mock_osc self.mock_osc_class.return_value = self.mock_osc
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
@patch('magnum.objects.ClusterTemplate.get_by_uuid') @patch('magnum.objects.ClusterTemplate.get_by_uuid')
@patch('magnum.drivers.common.driver.Driver.get_driver') @patch('magnum.drivers.common.driver.Driver.get_driver')

View File

@ -85,11 +85,11 @@ class TestClusterConductorWithSwarm(base.TestCase):
self.addCleanup(osc_patcher.stop) self.addCleanup(osc_patcher.stop)
self.mock_osc = mock.MagicMock() self.mock_osc = mock.MagicMock()
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1' self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
self.mock_keystone = mock.MagicMock() self.mock_keystone = mock.MagicMock()
self.mock_keystone.trustee_domain_id = 'trustee_domain_id' self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
self.mock_osc.keystone.return_value = self.mock_keystone self.mock_osc.keystone.return_value = self.mock_keystone
self.mock_osc_class.return_value = self.mock_osc self.mock_osc_class.return_value = self.mock_osc
self.context.auth_url = 'http://192.168.10.10:5000/v3'
@patch('requests.get') @patch('requests.get')
@patch('magnum.objects.ClusterTemplate.get_by_uuid') @patch('magnum.objects.ClusterTemplate.get_by_uuid')