Browse Source

Use trust for tls generation

Currently, we use the users auth token, which expires after a while.

We need to use a trust instead.

Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
changes/14/286414/19
Hua Wang 5 years ago
parent
commit
e8d537857a
8 changed files with 131 additions and 2 deletions
  1. +3
    -1
      devstack/lib/magnum
  2. +31
    -0
      magnum/templates/kubernetes/fragments/make-cert-client.sh
  3. +31
    -0
      magnum/templates/kubernetes/fragments/make-cert.sh
  4. +4
    -1
      magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
  5. +4
    -0
      magnum/templates/kubernetes/fragments/write-heat-params.yaml
  6. +8
    -0
      magnum/templates/kubernetes/kubecluster.yaml
  7. +25
    -0
      magnum/templates/kubernetes/kubemaster.yaml
  8. +25
    -0
      magnum/templates/kubernetes/kubeminion.yaml

+ 3
- 1
devstack/lib/magnum View File

@ -155,7 +155,8 @@ function create_magnum_conf {
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
iniset $MAGNUM_CONF keystone_authtoken auth_uri \
${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
if is_fedora || is_suse; then
@ -314,6 +315,7 @@ function configure_iptables {
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
# bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
fi
}


+ 31
- 0
magnum/templates/kubernetes/fragments/make-cert-client.sh View File

@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
CLIENT_CSR=$cert_dir/client.csr
CLIENT_KEY=$cert_dir/client.key
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
# Get CA certificate for this bay
curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \


+ 31
- 0
magnum/templates/kubernetes/fragments/make-cert.sh View File

@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
SERVER_CSR=$cert_dir/server.csr
SERVER_KEY=$cert_dir/server.key
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
# Get CA certificate for this bay
curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \


+ 4
- 1
magnum/templates/kubernetes/fragments/write-heat-params-master.yaml View File

@ -17,7 +17,6 @@ write_files:
FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
AUTH_URL="$AUTH_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
TENANT_NAME="$TENANT_NAME"
@ -31,3 +30,7 @@ write_files:
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUST_ID="$TRUST_ID"
AUTH_URL="$AUTH_URL"

+ 4
- 0
magnum/templates/kubernetes/fragments/write-heat-params.yaml View File

@ -32,3 +32,7 @@ write_files:
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUST_ID="$TRUST_ID"
AUTH_URL="$AUTH_URL"

+ 8
- 0
magnum/templates/kubernetes/kubecluster.yaml View File

@ -458,6 +458,10 @@ resources:
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_version: {get_param: kube_version}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
######################################################################
#
@ -509,6 +513,10 @@ resources:
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_version: {get_param: kube_version}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
outputs:


+ 25
- 0
magnum/templates/kubernetes/kubemaster.yaml View File

@ -158,6 +158,27 @@ parameters:
type: string
description: version of kubernetes used for kubernetes cluster
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
master_wait_handle:
@ -210,6 +231,10 @@ resources:
"$NO_PROXY": {get_param: no_proxy}
"$KUBE_VERSION": {get_param: kube_version}
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
make_cert:
type: OS::Heat::SoftwareConfig


+ 25
- 0
magnum/templates/kubernetes/kubeminion.yaml View File

@ -170,6 +170,27 @@ parameters:
type: string
description: version of kubenetes used for kubernetes cluster
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
minion_wait_handle:
@ -223,6 +244,10 @@ resources:
$NO_PROXY: {get_param: no_proxy}
$KUBE_VERSION: {get_param: kube_version}
$WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
$TRUSTEE_PASSWORD: {get_param: trustee_password}
$TRUST_ID: {get_param: trust_id}
$AUTH_URL: {get_param: auth_url}
write_kubeconfig:
type: OS::Heat::SoftwareConfig


Loading…
Cancel
Save