Browse Source

Use trust for tls generation

Currently, we use the users auth token, which expires after a while.

We need to use a trust instead.

Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
changes/14/286414/19
Hua Wang 6 years ago
parent
commit
e8d537857a
  1. 4
      devstack/lib/magnum
  2. 31
      magnum/templates/kubernetes/fragments/make-cert-client.sh
  3. 31
      magnum/templates/kubernetes/fragments/make-cert.sh
  4. 5
      magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
  5. 4
      magnum/templates/kubernetes/fragments/write-heat-params.yaml
  6. 8
      magnum/templates/kubernetes/kubecluster.yaml
  7. 25
      magnum/templates/kubernetes/kubemaster.yaml
  8. 25
      magnum/templates/kubernetes/kubeminion.yaml

4
devstack/lib/magnum

@ -155,7 +155,8 @@ function create_magnum_conf {
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
iniset $MAGNUM_CONF keystone_authtoken auth_uri \
${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
if is_fedora || is_suse; then
@ -314,6 +315,7 @@ function configure_iptables {
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
# bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
fi
}

31
magnum/templates/kubernetes/fragments/make-cert-client.sh

@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
CLIENT_CSR=$cert_dir/client.csr
CLIENT_KEY=$cert_dir/client.key
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
# Get CA certificate for this bay
curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \

31
magnum/templates/kubernetes/fragments/make-cert.sh

@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
SERVER_CSR=$cert_dir/server.csr
SERVER_KEY=$cert_dir/server.key
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
# Get CA certificate for this bay
curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \

5
magnum/templates/kubernetes/fragments/write-heat-params-master.yaml

@ -17,7 +17,6 @@ write_files:
FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
AUTH_URL="$AUTH_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
TENANT_NAME="$TENANT_NAME"
@ -31,3 +30,7 @@ write_files:
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUST_ID="$TRUST_ID"
AUTH_URL="$AUTH_URL"

4
magnum/templates/kubernetes/fragments/write-heat-params.yaml

@ -32,3 +32,7 @@ write_files:
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUST_ID="$TRUST_ID"
AUTH_URL="$AUTH_URL"

8
magnum/templates/kubernetes/kubecluster.yaml

@ -458,6 +458,10 @@ resources:
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_version: {get_param: kube_version}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
######################################################################
#
@ -509,6 +513,10 @@ resources:
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_version: {get_param: kube_version}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
outputs:

25
magnum/templates/kubernetes/kubemaster.yaml

@ -158,6 +158,27 @@ parameters:
type: string
description: version of kubernetes used for kubernetes cluster
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
master_wait_handle:
@ -210,6 +231,10 @@ resources:
"$NO_PROXY": {get_param: no_proxy}
"$KUBE_VERSION": {get_param: kube_version}
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
make_cert:
type: OS::Heat::SoftwareConfig

25
magnum/templates/kubernetes/kubeminion.yaml

@ -170,6 +170,27 @@ parameters:
type: string
description: version of kubenetes used for kubernetes cluster
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
minion_wait_handle:
@ -223,6 +244,10 @@ resources:
$NO_PROXY: {get_param: no_proxy}
$KUBE_VERSION: {get_param: kube_version}
$WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
$TRUSTEE_PASSWORD: {get_param: trustee_password}
$TRUST_ID: {get_param: trust_id}
$AUTH_URL: {get_param: auth_url}
write_kubeconfig:
type: OS::Heat::SoftwareConfig

Loading…
Cancel
Save