Use trust for tls cert generation in swarm

Currently, we use the users auth token, which expires after a while.
We need to use a trust instead.

Remove user_token at the same time.

Change-Id: Id1d34c59eccd70be24c5b9e00cd921b5a9d59860
Partially-Implements: blueprint use-trust-for-tls-cert-generation

magnum/conductor/template_definition.py

@@ -363,20 +363,6 @@ class BaseTemplateDefinition(TemplateDefinition):
                                       extra_params=extra_params,
                                       **kwargs)
 
-    def _get_user_token(self, context, osc, bay):
-        """Retrieve user token from the Heat stack or context.
-
-        :param context: The security context
-        :param osc: The openstack client
-        :param bay: The bay
-        :return: A user token
-        """
-        if hasattr(bay, 'stack_id'):
-            stack = osc.heat().stacks.get(bay.stack_id)
-            return stack.parameters['user_token']
-        else:
-            return context.auth_token
-
     def get_discovery_url(self, bay):
         if hasattr(bay, 'discovery_url') and bay.discovery_url:
             discovery_url = bay.discovery_url
@@ -518,7 +504,6 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
         extra_params['username'] = context.user_name
         extra_params['tenant_name'] = context.tenant
         osc = clients.OpenStackClients(context)
-        extra_params['user_token'] = self._get_user_token(context, osc, bay)
         extra_params['magnum_url'] = osc.magnum_url()
         extra_params['region_name'] = osc.cinder_region_name()
 
@@ -597,7 +582,6 @@ class AtomicSwarmTemplateDefinition(BaseTemplateDefinition):
         # it should be replaced with an actual trust token with only
         # access to do what the template needs it to do.
         osc = clients.OpenStackClients(context)
-        extra_params['user_token'] = self._get_user_token(context, osc, bay)
         extra_params['magnum_url'] = osc.magnum_url()
 
         label_list = ['flannel_network_cidr', 'flannel_backend',

magnum/templates/kubernetes/fragments/write-heat-params-master.yaml

@@ -23,7 +23,6 @@ write_files:
       CLUSTER_SUBNET="$CLUSTER_SUBNET"
       TLS_DISABLED="$TLS_DISABLED"
       BAY_UUID="$BAY_UUID"
-      USER_TOKEN="$USER_TOKEN"
       MAGNUM_URL="$MAGNUM_URL"
       HTTP_PROXY="$HTTP_PROXY"
       HTTPS_PROXY="$HTTPS_PROXY"

magnum/templates/kubernetes/fragments/write-heat-params.yaml

@@ -25,7 +25,6 @@ write_files:
       REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
       TLS_DISABLED="$TLS_DISABLED"
       BAY_UUID="$BAY_UUID"
-      USER_TOKEN="$USER_TOKEN"
       MAGNUM_URL="$MAGNUM_URL"
       AUTH_URL="$AUTH_URL"
       USERNAME="$USERNAME"

magnum/templates/kubernetes/kubecluster.yaml

@@ -224,10 +224,6 @@ parameters:
       service.
     default: 6443
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -447,7 +443,6 @@ resources:
           flannel_backend: {get_param: flannel_backend}
           portal_network_cidr: {get_param: portal_network_cidr}
           discovery_url: {get_param: discovery_url}
-          user_token: {get_param: user_token}
           bay_uuid: {get_param: bay_uuid}
           magnum_url: {get_param: magnum_url}
           fixed_network: {get_resource: fixed_network}
@@ -510,7 +505,6 @@ resources:
           registry_container: {get_param: registry_container}
           registry_insecure: {get_param: registry_insecure}
           registry_chunksize: {get_param: registry_chunksize}
-          user_token: {get_param: user_token}
           bay_uuid: {get_param: bay_uuid}
           magnum_url: {get_param: magnum_url}
           volume_driver: {get_param: volume_driver}

magnum/templates/kubernetes/kubemaster.yaml

@@ -81,10 +81,6 @@ parameters:
       service.
     default: 6443
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -220,7 +216,6 @@ resources:
             "$CLUSTER_SUBNET": {get_param: fixed_subnet}
             "$TLS_DISABLED": {get_param: tls_disabled}
             "$BAY_UUID": {get_param: bay_uuid}
-            "$USER_TOKEN": {get_param: user_token}
             "$MAGNUM_URL": {get_param: magnum_url}
             "$HTTP_PROXY": {get_param: http_proxy}
             "$HTTPS_PROXY": {get_param: https_proxy}

magnum/templates/kubernetes/kubeminion.yaml

@@ -52,10 +52,6 @@ parameters:
       service.
     default: 6443
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -270,7 +266,6 @@ resources:
             $REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
             $TLS_DISABLED: {get_param: tls_disabled}
             $BAY_UUID: {get_param: bay_uuid}
-            $USER_TOKEN: {get_param: user_token}
             $MAGNUM_URL: {get_param: magnum_url}
             $AUTH_URL: {get_param: auth_url}
             $USERNAME: {get_param: username}

magnum/templates/swarm/fragments/make-cert.py

@@ -133,10 +133,47 @@ def write_server_cert(config, csr_req):
         fp.write(csr_resp.json()['pem'])
 
 
+def get_user_token(config):
+    creds_str = '''
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "%(trustee_user_id)s",
+                    "password": "%(trustee_password)s"
+                }
+            }
+        },
+        "scope": {
+            "OS-TRUST:trust": {
+                "id": "%(trust_id)s"
+            }
+        }
+    }
+}
+'''
+    params = {
+        'trustee_user_id': config['TRUSTEE_USER_ID'],
+        'trustee_password': config['TRUSTEE_PASSWORD'],
+        'trust_id': config['TRUST_ID']
+    }
+    creds = creds_str % params
+    headers = {'Content-Type': 'application/json'}
+    url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens'
+    r = requests.post(url, headers=headers, data=creds)
+    config['USER_TOKEN'] = r.headers['X-Subject-Token']
+    return config
+
+
 def main():
     config = load_config()
     if config['TLS_DISABLED'] == 'False':
         create_dirs()
+        config = get_user_token(config)
         write_ca_cert(config)
         write_server_key()
         csr_req = create_server_csr(config)

magnum/templates/swarm/fragments/write-heat-params.yaml

@@ -14,7 +14,6 @@ write_files:
       SWARM_API_IP="$SWARM_API_IP"
       SWARM_NODE_IP="$SWARM_NODE_IP"
       BAY_UUID="$BAY_UUID"
-      USER_TOKEN="$USER_TOKEN"
       MAGNUM_URL="$MAGNUM_URL"
       TLS_DISABLED="$TLS_DISABLED"
       NETWORK_DRIVER="$NETWORK_DRIVER"
@@ -25,3 +24,7 @@ write_files:
       API_IP_ADDRESS="$API_IP_ADDRESS"
       SWARM_VERSION="$SWARM_VERSION"
       AGENT_WAIT_HANDLE="$AGENT_WAIT_HANDLE"
+      TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
+      TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
+      TRUST_ID="$TRUST_ID"
+      AUTH_URL="$AUTH_URL"

magnum/templates/swarm/swarmcluster.yaml

@@ -25,10 +25,6 @@ parameters:
     type: string
     description: url provided for node discovery
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -310,7 +306,6 @@ resources:
           no_proxy: {get_param: no_proxy}
           swarm_api_ip: {get_attr: [api_pool, vip, address]}
           bay_uuid: {get_param: bay_uuid}
-          user_token: {get_param: user_token}
           magnum_url: {get_param: magnum_url}
           tls_disabled: {get_param: tls_disabled}
           secgroup_swarm_master_id: {get_resource: secgroup_manager}
@@ -324,6 +319,10 @@ resources:
           etcd_server_ip: {get_attr: [etcd_pool, vip, address]}
           api_ip_address: {get_attr: [api_pool_floating, floating_ip_address]}
           swarm_version: {get_param: swarm_version}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
   swarm_nodes:
     type: "OS::Heat::ResourceGroup"
@@ -347,7 +346,6 @@ resources:
           no_proxy: {get_param: no_proxy}
           swarm_api_ip: {get_attr: [api_pool, vip, address]}
           bay_uuid: {get_param: bay_uuid}
-          user_token: {get_param: user_token}
           magnum_url: {get_param: magnum_url}
           tls_disabled: {get_param: tls_disabled}
           secgroup_swarm_node_id: {get_resource: secgroup_manager}
@@ -356,6 +354,10 @@ resources:
           etcd_server_ip: {get_attr: [etcd_pool, vip, address]}
           api_ip_address: {get_attr: [api_pool_floating, floating_ip_address]}
           swarm_version: {get_param: swarm_version}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
 outputs:
 

magnum/templates/swarm/swarmmaster.yaml

@@ -24,10 +24,6 @@ parameters:
     type: string
     description: url provided for node discovery
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -120,6 +116,27 @@ parameters:
     type: string
     description: ip address of the load balancer pool of etcd server.
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+    default: ""
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    default: ""
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    default: ""
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   cloud_init_wait_handle:
@@ -168,7 +185,6 @@ resources:
             "$SWARM_API_IP": {get_param: swarm_api_ip}
             "$SWARM_NODE_IP": {get_attr: [swarm_master_eth0, fixed_ips, 0, ip_address]}
             "$BAY_UUID": {get_param: bay_uuid}
-            "$USER_TOKEN": {get_param: user_token}
             "$MAGNUM_URL": {get_param: magnum_url}
             "$TLS_DISABLED": {get_param: tls_disabled}
             "$NETWORK_DRIVER": {get_param: network_driver}
@@ -178,6 +194,10 @@ resources:
             "$ETCD_SERVER_IP": {get_param: etcd_server_ip}
             "$API_IP_ADDRESS": {get_param: api_ip_address}
             "$SWARM_VERSION": {get_param: swarm_version}
+            "$TRUSTEE_USER_ID": {get_param: trustee_user_id}
+            "$TRUSTEE_PASSWORD": {get_param: trustee_password}
+            "$TRUST_ID": {get_param: trust_id}
+            "$AUTH_URL": {get_param: auth_url}
 
   write_network_config:
     type: "OS::Heat::SoftwareConfig"

magnum/templates/swarm/swarmnode.yaml

@@ -69,10 +69,6 @@ parameters:
     type: string
     description: swarm master's api server public ip address
 
-  user_token:
-    type: string
-    description: token used for communicating back to Magnum for TLS certs
-
   bay_uuid:
     type: string
     description: identifier for the bay this template is generating
@@ -97,6 +93,24 @@ parameters:
     type: string
     description: ip address of the load balancer pool of etcd server.
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   node_cloud_init_wait_handle:
@@ -143,7 +157,6 @@ resources:
             "$SWARM_API_IP": {get_param: swarm_api_ip}
             "$SWARM_NODE_IP": {get_attr: [swarm_node_eth0, fixed_ips, 0, ip_address]}
             "$BAY_UUID": {get_param: bay_uuid}
-            "$USER_TOKEN": {get_param: user_token}
             "$MAGNUM_URL": {get_param: magnum_url}
             "$TLS_DISABLED": {get_param: tls_disabled}
             "$NETWORK_DRIVER": {get_param: network_driver}
@@ -151,6 +164,10 @@ resources:
             "$API_IP_ADDRESS": {get_param: api_ip_address}
             "$SWARM_VERSION": {get_param: swarm_version}
             "$AGENT_WAIT_HANDLE": {get_resource: node_agent_wait_handle}
+            "$TRUSTEE_USER_ID": {get_param: trustee_user_id}
+            "$TRUSTEE_PASSWORD": {get_param: trustee_password}
+            "$TRUST_ID": {get_param: trust_id}
+            "$AUTH_URL": {get_param: auth_url}
 
   remove_docker_key:
     type: "OS::Heat::SoftwareConfig"

magnum/tests/unit/conductor/handlers/test_k8s_bay_conductor.py

@@ -77,8 +77,6 @@ class TestBayConductorWithK8s(base.TestCase):
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
         self.mock_osc.cinder_region_name.return_value = 'RegionOne'
         self.mock_osc_class.return_value = self.mock_osc
-        mock_stack = self.mock_osc.heat.return_value.stacks.get.return_value
-        mock_stack.parameters = {'user_token': 'fake_token'}
 
     @patch('magnum.objects.BayModel.get_by_uuid')
     def test_extract_template_definition(
@@ -121,7 +119,6 @@ class TestBayConductorWithK8s(base.TestCase):
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
             'no_proxy': 'no_proxy',
-            'user_token': self.context.auth_token,
             'bay_uuid': self.bay_dict['uuid'],
             'magnum_url': self.mock_osc.magnum_url.return_value,
             'tls_disabled': False,
@@ -147,7 +144,6 @@ class TestBayConductorWithK8s(base.TestCase):
             'no_proxy': 'no_proxy',
             'tenant_name': 'fake_tenant',
             'username': 'fake_user',
-            'user_token': 'fake_token',
             'bay_uuid': self.bay_dict['uuid'],
             'magnum_url': self.mock_osc.magnum_url.return_value,
             'region_name': self.mock_osc.cinder_region_name.return_value,
@@ -358,7 +354,6 @@ class TestBayConductorWithK8s(base.TestCase):
             'flannel_backend': 'vxlan',
             'tenant_name': 'fake_tenant',
             'username': 'fake_user',
-            'user_token': 'fake_token',
             'bay_uuid': self.bay_dict['uuid'],
             'magnum_url': self.mock_osc.magnum_url.return_value,
             'region_name': self.mock_osc.cinder_region_name.return_value,

magnum/tests/unit/conductor/handlers/test_swarm_bay_conductor.py

@@ -71,8 +71,6 @@ class TestBayConductorWithSwarm(base.TestCase):
         self.mock_osc = mock.MagicMock()
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
         self.mock_osc_class.return_value = self.mock_osc
-        mock_stack = self.mock_osc.heat.return_value.stacks.get.return_value
-        mock_stack.parameters = {'user_token': 'fake_token'}
         self.context.auth_url = 'http://192.168.10.10:5000/v3'
 
     @patch('magnum.objects.BayModel.get_by_uuid')
@@ -101,7 +99,6 @@ class TestBayConductorWithSwarm(base.TestCase):
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
             'no_proxy': 'no_proxy',
-            'user_token': 'fake_token',
             'bay_uuid': 'some_uuid',
             'magnum_url': self.mock_osc.magnum_url.return_value,
             'tls_disabled': False,
@@ -145,7 +142,6 @@ class TestBayConductorWithSwarm(base.TestCase):
             'number_of_masters': 1,
             'number_of_nodes': 1,
             'discovery_url': 'https://discovery.etcd.io/test',
-            'user_token': 'fake_token',
             'bay_uuid': 'some_uuid',
             'magnum_url': self.mock_osc.magnum_url.return_value,
             'tls_disabled': False,

magnum/tests/unit/conductor/test_template_definition.py

@@ -210,8 +210,7 @@ class AtomicK8sTemplateDefinitionTestCase(base.TestCase):
             'username': 'fake_user',
             'tenant_name': 'fake_tenant',
             'magnum_url': mock_osc.magnum_url.return_value,
-            'region_name': mock_osc.cinder_region_name.return_value,
-            'user_token': mock_context.auth_token}}
+            'region_name': mock_osc.cinder_region_name.return_value}}
         mock_get_params.assert_called_once_with(mock_context, mock_baymodel,
                                                 mock_bay, **expected_kwargs)
 
@@ -264,7 +263,6 @@ class AtomicK8sTemplateDefinitionTestCase(base.TestCase):
             'tenant_name': 'fake_tenant',
             'magnum_url': mock_osc.magnum_url.return_value,
             'region_name': mock_osc.cinder_region_name.return_value,
-            'user_token': mock_context.auth_token,
             'loadbalancing_protocol': 'HTTP',
             'kubernetes_port': 8080}}
         mock_get_params.assert_called_once_with(mock_context, mock_baymodel,
@@ -430,7 +428,6 @@ class AtomicSwarmTemplateDefinitionTestCase(base.TestCase):
 
         expected_kwargs = {'extra_params': {
             'discovery_url': 'fake_discovery_url',
-            'user_token': mock_context.auth_token,
             'magnum_url': mock_osc.magnum_url.return_value,
             'flannel_network_cidr': flannel_cidr,
             'flannel_backend': flannel_backend,