Use trust for tls generation
Currently, we use the users auth token, which expires after a while. We need to use a trust instead. Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d Closes-Bug: #1503863 Partially-Implements: blueprint use-trust-for-tls-cert-generation
This commit is contained in:
parent
e8a108b182
commit
e8d537857a
|
@ -155,7 +155,8 @@ function create_magnum_conf {
|
|||
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
|
||||
|
||||
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
|
||||
iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
|
||||
iniset $MAGNUM_CONF keystone_authtoken auth_uri \
|
||||
${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
|
||||
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
|
||||
|
||||
if is_fedora || is_suse; then
|
||||
|
@ -314,6 +315,7 @@ function configure_iptables {
|
|||
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
|
||||
# bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
|
||||
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
|
||||
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
|
|||
CLIENT_CSR=$cert_dir/client.csr
|
||||
CLIENT_KEY=$cert_dir/client.key
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"id": "$TRUSTEE_USER_ID",
|
||||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
#trust is introduced in Keystone v3 version
|
||||
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
# Get CA certificate for this bay
|
||||
curl -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
|
|
|
@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
|
|||
SERVER_CSR=$cert_dir/server.csr
|
||||
SERVER_KEY=$cert_dir/server.key
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"id": "$TRUSTEE_USER_ID",
|
||||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
#trust is introduced in Keystone v3 version
|
||||
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
# Get CA certificate for this bay
|
||||
curl -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
|
|
|
@ -17,7 +17,6 @@ write_files:
|
|||
FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
|
||||
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
|
||||
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
USERNAME="$USERNAME"
|
||||
PASSWORD="$PASSWORD"
|
||||
TENANT_NAME="$TENANT_NAME"
|
||||
|
@ -31,3 +30,7 @@ write_files:
|
|||
NO_PROXY="$NO_PROXY"
|
||||
WAIT_CURL="$WAIT_CURL"
|
||||
KUBE_VERSION="$KUBE_VERSION"
|
||||
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
|
||||
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
|
||||
TRUST_ID="$TRUST_ID"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
|
|
|
@ -32,3 +32,7 @@ write_files:
|
|||
NO_PROXY="$NO_PROXY"
|
||||
WAIT_CURL="$WAIT_CURL"
|
||||
KUBE_VERSION="$KUBE_VERSION"
|
||||
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
|
||||
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
|
||||
TRUST_ID="$TRUST_ID"
|
||||
AUTH_URL="$AUTH_URL"
|
||||
|
|
|
@ -458,6 +458,10 @@ resources:
|
|||
https_proxy: {get_param: https_proxy}
|
||||
no_proxy: {get_param: no_proxy}
|
||||
kube_version: {get_param: kube_version}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -509,6 +513,10 @@ resources:
|
|||
https_proxy: {get_param: https_proxy}
|
||||
no_proxy: {get_param: no_proxy}
|
||||
kube_version: {get_param: kube_version}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -158,6 +158,27 @@ parameters:
|
|||
type: string
|
||||
description: version of kubernetes used for kubernetes cluster
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
default: ""
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -210,6 +231,10 @@ resources:
|
|||
"$NO_PROXY": {get_param: no_proxy}
|
||||
"$KUBE_VERSION": {get_param: kube_version}
|
||||
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
|
||||
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
|
||||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -170,6 +170,27 @@ parameters:
|
|||
type: string
|
||||
description: version of kubenetes used for kubernetes cluster
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
default: ""
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -223,6 +244,10 @@ resources:
|
|||
$NO_PROXY: {get_param: no_proxy}
|
||||
$KUBE_VERSION: {get_param: kube_version}
|
||||
$WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
|
||||
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
|
||||
$TRUSTEE_PASSWORD: {get_param: trustee_password}
|
||||
$TRUST_ID: {get_param: trust_id}
|
||||
$AUTH_URL: {get_param: auth_url}
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
Loading…
Reference in New Issue