Use trust for tls cert generation in swarm
Currently, we use the users auth token, which expires after a while. We need to use a trust instead. Remove user_token at the same time. Change-Id: Id1d34c59eccd70be24c5b9e00cd921b5a9d59860 Partially-Implements: blueprint use-trust-for-tls-cert-generation
This commit is contained in:
parent
ee059477be
commit
5ecf71aabc
|
@ -363,20 +363,6 @@ class BaseTemplateDefinition(TemplateDefinition):
|
|||
extra_params=extra_params,
|
||||
**kwargs)
|
||||
|
||||
def _get_user_token(self, context, osc, bay):
|
||||
"""Retrieve user token from the Heat stack or context.
|
||||
|
||||
:param context: The security context
|
||||
:param osc: The openstack client
|
||||
:param bay: The bay
|
||||
:return: A user token
|
||||
"""
|
||||
if hasattr(bay, 'stack_id'):
|
||||
stack = osc.heat().stacks.get(bay.stack_id)
|
||||
return stack.parameters['user_token']
|
||||
else:
|
||||
return context.auth_token
|
||||
|
||||
def get_discovery_url(self, bay):
|
||||
if hasattr(bay, 'discovery_url') and bay.discovery_url:
|
||||
discovery_url = bay.discovery_url
|
||||
|
@ -518,7 +504,6 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
|
|||
extra_params['username'] = context.user_name
|
||||
extra_params['tenant_name'] = context.tenant
|
||||
osc = clients.OpenStackClients(context)
|
||||
extra_params['user_token'] = self._get_user_token(context, osc, bay)
|
||||
extra_params['magnum_url'] = osc.magnum_url()
|
||||
extra_params['region_name'] = osc.cinder_region_name()
|
||||
|
||||
|
@ -597,7 +582,6 @@ class AtomicSwarmTemplateDefinition(BaseTemplateDefinition):
|
|||
# it should be replaced with an actual trust token with only
|
||||
# access to do what the template needs it to do.
|
||||
osc = clients.OpenStackClients(context)
|
||||
extra_params['user_token'] = self._get_user_token(context, osc, bay)
|
||||
extra_params['magnum_url'] = osc.magnum_url()
|
||||
|
||||
label_list = ['flannel_network_cidr', 'flannel_backend',
|
||||
|
|
|
@ -23,7 +23,6 @@ write_files:
|
|||
CLUSTER_SUBNET="$CLUSTER_SUBNET"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
BAY_UUID="$BAY_UUID"
|
||||
USER_TOKEN="$USER_TOKEN"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
HTTP_PROXY="$HTTP_PROXY"
|
||||
HTTPS_PROXY="$HTTPS_PROXY"
|
||||
|
|
|
@ -25,7 +25,6 @@ write_files:
|
|||
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
BAY_UUID="$BAY_UUID"
|
||||
USER_TOKEN="$USER_TOKEN"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
USERNAME="$USERNAME"
|
||||
|
|
|
@ -224,10 +224,6 @@ parameters:
|
|||
service.
|
||||
default: 6443
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -447,7 +443,6 @@ resources:
|
|||
flannel_backend: {get_param: flannel_backend}
|
||||
portal_network_cidr: {get_param: portal_network_cidr}
|
||||
discovery_url: {get_param: discovery_url}
|
||||
user_token: {get_param: user_token}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
fixed_network: {get_resource: fixed_network}
|
||||
|
@ -510,7 +505,6 @@ resources:
|
|||
registry_container: {get_param: registry_container}
|
||||
registry_insecure: {get_param: registry_insecure}
|
||||
registry_chunksize: {get_param: registry_chunksize}
|
||||
user_token: {get_param: user_token}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
volume_driver: {get_param: volume_driver}
|
||||
|
|
|
@ -81,10 +81,6 @@ parameters:
|
|||
service.
|
||||
default: 6443
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -220,7 +216,6 @@ resources:
|
|||
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$BAY_UUID": {get_param: bay_uuid}
|
||||
"$USER_TOKEN": {get_param: user_token}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$HTTP_PROXY": {get_param: http_proxy}
|
||||
"$HTTPS_PROXY": {get_param: https_proxy}
|
||||
|
|
|
@ -52,10 +52,6 @@ parameters:
|
|||
service.
|
||||
default: 6443
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -270,7 +266,6 @@ resources:
|
|||
$REGISTRY_CHUNKSIZE: {get_param: registry_chunksize}
|
||||
$TLS_DISABLED: {get_param: tls_disabled}
|
||||
$BAY_UUID: {get_param: bay_uuid}
|
||||
$USER_TOKEN: {get_param: user_token}
|
||||
$MAGNUM_URL: {get_param: magnum_url}
|
||||
$AUTH_URL: {get_param: auth_url}
|
||||
$USERNAME: {get_param: username}
|
||||
|
|
|
@ -133,10 +133,47 @@ def write_server_cert(config, csr_req):
|
|||
fp.write(csr_resp.json()['pem'])
|
||||
|
||||
|
||||
def get_user_token(config):
|
||||
creds_str = '''
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"id": "%(trustee_user_id)s",
|
||||
"password": "%(trustee_password)s"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "%(trust_id)s"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
'''
|
||||
params = {
|
||||
'trustee_user_id': config['TRUSTEE_USER_ID'],
|
||||
'trustee_password': config['TRUSTEE_PASSWORD'],
|
||||
'trust_id': config['TRUST_ID']
|
||||
}
|
||||
creds = creds_str % params
|
||||
headers = {'Content-Type': 'application/json'}
|
||||
url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens'
|
||||
r = requests.post(url, headers=headers, data=creds)
|
||||
config['USER_TOKEN'] = r.headers['X-Subject-Token']
|
||||
return config
|
||||
|
||||
|
||||
def main():
|
||||
config = load_config()
|
||||
if config['TLS_DISABLED'] == 'False':
|
||||
create_dirs()
|
||||
config = get_user_token(config)
|
||||
write_ca_cert(config)
|
||||
write_server_key()
|
||||
csr_req = create_server_csr(config)
|
||||
|
|
|
@ -14,7 +14,6 @@ write_files:
|
|||
SWARM_API_IP="$SWARM_API_IP"
|
||||
SWARM_NODE_IP="$SWARM_NODE_IP"
|
||||
BAY_UUID="$BAY_UUID"
|
||||
USER_TOKEN="$USER_TOKEN"
|
||||
MAGNUM_URL="$MAGNUM_URL"
|
||||
TLS_DISABLED="$TLS_DISABLED"
|
||||
NETWORK_DRIVER="$NETWORK_DRIVER"
|
||||
|
@ -25,3 +24,7 @@ write_files:
|
|||
API_IP_ADDRESS="$API_IP_ADDRESS"
|
||||
SWARM_VERSION="$SWARM_VERSION"
|
||||
AGENT_WAIT_HANDLE="$AGENT_WAIT_HANDLE"
|
||||
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
|
||||
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
|
||||
TRUST_ID="$TRUST_ID"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
|
|
|
@ -25,10 +25,6 @@ parameters:
|
|||
type: string
|
||||
description: url provided for node discovery
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -310,7 +306,6 @@ resources:
|
|||
no_proxy: {get_param: no_proxy}
|
||||
swarm_api_ip: {get_attr: [api_pool, vip, address]}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
user_token: {get_param: user_token}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_swarm_master_id: {get_resource: secgroup_manager}
|
||||
|
@ -324,6 +319,10 @@ resources:
|
|||
etcd_server_ip: {get_attr: [etcd_pool, vip, address]}
|
||||
api_ip_address: {get_attr: [api_pool_floating, floating_ip_address]}
|
||||
swarm_version: {get_param: swarm_version}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
swarm_nodes:
|
||||
type: "OS::Heat::ResourceGroup"
|
||||
|
@ -347,7 +346,6 @@ resources:
|
|||
no_proxy: {get_param: no_proxy}
|
||||
swarm_api_ip: {get_attr: [api_pool, vip, address]}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
user_token: {get_param: user_token}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_swarm_node_id: {get_resource: secgroup_manager}
|
||||
|
@ -356,6 +354,10 @@ resources:
|
|||
etcd_server_ip: {get_attr: [etcd_pool, vip, address]}
|
||||
api_ip_address: {get_attr: [api_pool_floating, floating_ip_address]}
|
||||
swarm_version: {get_param: swarm_version}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -24,10 +24,6 @@ parameters:
|
|||
type: string
|
||||
description: url provided for node discovery
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -120,6 +116,27 @@ parameters:
|
|||
type: string
|
||||
description: ip address of the load balancer pool of etcd server.
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
default: ""
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
cloud_init_wait_handle:
|
||||
|
@ -168,7 +185,6 @@ resources:
|
|||
"$SWARM_API_IP": {get_param: swarm_api_ip}
|
||||
"$SWARM_NODE_IP": {get_attr: [swarm_master_eth0, fixed_ips, 0, ip_address]}
|
||||
"$BAY_UUID": {get_param: bay_uuid}
|
||||
"$USER_TOKEN": {get_param: user_token}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
|
@ -178,6 +194,10 @@ resources:
|
|||
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
|
||||
"$API_IP_ADDRESS": {get_param: api_ip_address}
|
||||
"$SWARM_VERSION": {get_param: swarm_version}
|
||||
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
|
||||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
|
||||
write_network_config:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
|
|
@ -69,10 +69,6 @@ parameters:
|
|||
type: string
|
||||
description: swarm master's api server public ip address
|
||||
|
||||
user_token:
|
||||
type: string
|
||||
description: token used for communicating back to Magnum for TLS certs
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
@ -97,6 +93,24 @@ parameters:
|
|||
type: string
|
||||
description: ip address of the load balancer pool of etcd server.
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
node_cloud_init_wait_handle:
|
||||
|
@ -143,7 +157,6 @@ resources:
|
|||
"$SWARM_API_IP": {get_param: swarm_api_ip}
|
||||
"$SWARM_NODE_IP": {get_attr: [swarm_node_eth0, fixed_ips, 0, ip_address]}
|
||||
"$BAY_UUID": {get_param: bay_uuid}
|
||||
"$USER_TOKEN": {get_param: user_token}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$NETWORK_DRIVER": {get_param: network_driver}
|
||||
|
@ -151,6 +164,10 @@ resources:
|
|||
"$API_IP_ADDRESS": {get_param: api_ip_address}
|
||||
"$SWARM_VERSION": {get_param: swarm_version}
|
||||
"$AGENT_WAIT_HANDLE": {get_resource: node_agent_wait_handle}
|
||||
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
|
||||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
|
||||
remove_docker_key:
|
||||
type: "OS::Heat::SoftwareConfig"
|
||||
|
|
|
@ -77,8 +77,6 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
|
||||
self.mock_osc.cinder_region_name.return_value = 'RegionOne'
|
||||
self.mock_osc_class.return_value = self.mock_osc
|
||||
mock_stack = self.mock_osc.heat.return_value.stacks.get.return_value
|
||||
mock_stack.parameters = {'user_token': 'fake_token'}
|
||||
|
||||
@patch('magnum.objects.BayModel.get_by_uuid')
|
||||
def test_extract_template_definition(
|
||||
|
@ -121,7 +119,6 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
'user_token': self.context.auth_token,
|
||||
'bay_uuid': self.bay_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'tls_disabled': False,
|
||||
|
@ -147,7 +144,6 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
'no_proxy': 'no_proxy',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'username': 'fake_user',
|
||||
'user_token': 'fake_token',
|
||||
'bay_uuid': self.bay_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
|
@ -358,7 +354,6 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
'flannel_backend': 'vxlan',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'username': 'fake_user',
|
||||
'user_token': 'fake_token',
|
||||
'bay_uuid': self.bay_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'region_name': self.mock_osc.cinder_region_name.return_value,
|
||||
|
|
|
@ -71,8 +71,6 @@ class TestBayConductorWithSwarm(base.TestCase):
|
|||
self.mock_osc = mock.MagicMock()
|
||||
self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
|
||||
self.mock_osc_class.return_value = self.mock_osc
|
||||
mock_stack = self.mock_osc.heat.return_value.stacks.get.return_value
|
||||
mock_stack.parameters = {'user_token': 'fake_token'}
|
||||
self.context.auth_url = 'http://192.168.10.10:5000/v3'
|
||||
|
||||
@patch('magnum.objects.BayModel.get_by_uuid')
|
||||
|
@ -101,7 +99,6 @@ class TestBayConductorWithSwarm(base.TestCase):
|
|||
'http_proxy': 'http_proxy',
|
||||
'https_proxy': 'https_proxy',
|
||||
'no_proxy': 'no_proxy',
|
||||
'user_token': 'fake_token',
|
||||
'bay_uuid': 'some_uuid',
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'tls_disabled': False,
|
||||
|
@ -145,7 +142,6 @@ class TestBayConductorWithSwarm(base.TestCase):
|
|||
'number_of_masters': 1,
|
||||
'number_of_nodes': 1,
|
||||
'discovery_url': 'https://discovery.etcd.io/test',
|
||||
'user_token': 'fake_token',
|
||||
'bay_uuid': 'some_uuid',
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
'tls_disabled': False,
|
||||
|
|
|
@ -210,8 +210,7 @@ class AtomicK8sTemplateDefinitionTestCase(base.TestCase):
|
|||
'username': 'fake_user',
|
||||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
'region_name': mock_osc.cinder_region_name.return_value,
|
||||
'user_token': mock_context.auth_token}}
|
||||
'region_name': mock_osc.cinder_region_name.return_value}}
|
||||
mock_get_params.assert_called_once_with(mock_context, mock_baymodel,
|
||||
mock_bay, **expected_kwargs)
|
||||
|
||||
|
@ -264,7 +263,6 @@ class AtomicK8sTemplateDefinitionTestCase(base.TestCase):
|
|||
'tenant_name': 'fake_tenant',
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
'region_name': mock_osc.cinder_region_name.return_value,
|
||||
'user_token': mock_context.auth_token,
|
||||
'loadbalancing_protocol': 'HTTP',
|
||||
'kubernetes_port': 8080}}
|
||||
mock_get_params.assert_called_once_with(mock_context, mock_baymodel,
|
||||
|
@ -430,7 +428,6 @@ class AtomicSwarmTemplateDefinitionTestCase(base.TestCase):
|
|||
|
||||
expected_kwargs = {'extra_params': {
|
||||
'discovery_url': 'fake_discovery_url',
|
||||
'user_token': mock_context.auth_token,
|
||||
'magnum_url': mock_osc.magnum_url.return_value,
|
||||
'flannel_network_cidr': flannel_cidr,
|
||||
'flannel_backend': flannel_backend,
|
||||
|
|
Loading…
Reference in New Issue