From e8d537857a041f9b286356bdf7ed5407953d742b Mon Sep 17 00:00:00 2001
From: Hua Wang <wanghua.humble@gmail.com>
Date: Wed, 16 Mar 2016 19:32:16 +0800
Subject: [PATCH] Use trust for tls generation

Currently, we use the users auth token, which expires after a while.

We need to use a trust instead.

Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
---
 devstack/lib/magnum                           |  4 ++-
 .../kubernetes/fragments/make-cert-client.sh  | 31 +++++++++++++++++++
 .../kubernetes/fragments/make-cert.sh         | 31 +++++++++++++++++++
 .../fragments/write-heat-params-master.yaml   |  5 ++-
 .../fragments/write-heat-params.yaml          |  4 +++
 magnum/templates/kubernetes/kubecluster.yaml  |  8 +++++
 magnum/templates/kubernetes/kubemaster.yaml   | 25 +++++++++++++++
 magnum/templates/kubernetes/kubeminion.yaml   | 25 +++++++++++++++
 8 files changed, 131 insertions(+), 2 deletions(-)

diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index 46ab92b562..a7d1c4167d 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -155,7 +155,8 @@ function create_magnum_conf {
     configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
 
     iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
-    iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
+    iniset $MAGNUM_CONF keystone_authtoken auth_uri \
+           ${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
     iniset $MAGNUM_CONF keystone_authtoken auth_version v3
 
     if is_fedora || is_suse; then
@@ -314,6 +315,7 @@ function configure_iptables {
         sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
         # bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
+        sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
     fi
 }
 
diff --git a/magnum/templates/kubernetes/fragments/make-cert-client.sh b/magnum/templates/kubernetes/fragments/make-cert-client.sh
index 04f27943cf..b009ecd2d8 100644
--- a/magnum/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert-client.sh
@@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
 CLIENT_CSR=$cert_dir/client.csr
 CLIENT_KEY=$cert_dir/client.key
 
+#Get a token by user credentials and trust
+cat > auth.json << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        },
+        "scope": {
+            "OS-TRUST:trust": {
+                "id": "$TRUST_ID"
+            }
+        }
+    }
+}
+EOF
+
+#trust is introduced in Keystone v3 version
+AUTH_URL=${AUTH_URL/v2.0/v3}
+USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+                 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
+
+rm -rf auth.json
+
 # Get CA certificate for this bay
 curl -X GET \
   -H "X-Auth-Token: $USER_TOKEN" \
diff --git a/magnum/templates/kubernetes/fragments/make-cert.sh b/magnum/templates/kubernetes/fragments/make-cert.sh
index 5df95d3207..c671363bc6 100644
--- a/magnum/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert.sh
@@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
 SERVER_CSR=$cert_dir/server.csr
 SERVER_KEY=$cert_dir/server.key
 
+#Get a token by user credentials and trust
+cat > auth.json << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        },
+        "scope": {
+            "OS-TRUST:trust": {
+                "id": "$TRUST_ID"
+            }
+        }
+    }
+}
+EOF
+
+#trust is introduced in Keystone v3 version
+AUTH_URL=${AUTH_URL/v2.0/v3}
+USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+                 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
+
+rm -rf auth.json
+
 # Get CA certificate for this bay
 curl -X GET \
   -H "X-Auth-Token: $USER_TOKEN" \
diff --git a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
index 13a45cfaa8..76159f96fe 100644
--- a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -17,7 +17,6 @@ write_files:
       FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
       PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
-      AUTH_URL="$AUTH_URL"
       USERNAME="$USERNAME"
       PASSWORD="$PASSWORD"
       TENANT_NAME="$TENANT_NAME"
@@ -31,3 +30,7 @@ write_files:
       NO_PROXY="$NO_PROXY"
       WAIT_CURL="$WAIT_CURL"
       KUBE_VERSION="$KUBE_VERSION"
+      TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
+      TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
+      TRUST_ID="$TRUST_ID"
+      AUTH_URL="$AUTH_URL"
diff --git a/magnum/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/templates/kubernetes/fragments/write-heat-params.yaml
index d8f7d70f08..6f07fb88b4 100644
--- a/magnum/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params.yaml
@@ -32,3 +32,7 @@ write_files:
       NO_PROXY="$NO_PROXY"
       WAIT_CURL="$WAIT_CURL"
       KUBE_VERSION="$KUBE_VERSION"
+      TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
+      TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
+      TRUST_ID="$TRUST_ID"
+      AUTH_URL="$AUTH_URL"
diff --git a/magnum/templates/kubernetes/kubecluster.yaml b/magnum/templates/kubernetes/kubecluster.yaml
index 45c9b15ea8..edf2a090eb 100644
--- a/magnum/templates/kubernetes/kubecluster.yaml
+++ b/magnum/templates/kubernetes/kubecluster.yaml
@@ -458,6 +458,10 @@ resources:
           https_proxy: {get_param: https_proxy}
           no_proxy: {get_param: no_proxy}
           kube_version: {get_param: kube_version}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
   ######################################################################
   #
@@ -509,6 +513,10 @@ resources:
           https_proxy: {get_param: https_proxy}
           no_proxy: {get_param: no_proxy}
           kube_version: {get_param: kube_version}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
 outputs:
 
diff --git a/magnum/templates/kubernetes/kubemaster.yaml b/magnum/templates/kubernetes/kubemaster.yaml
index 0dde32399d..94cb3ab8a0 100644
--- a/magnum/templates/kubernetes/kubemaster.yaml
+++ b/magnum/templates/kubernetes/kubemaster.yaml
@@ -158,6 +158,27 @@ parameters:
     type: string
     description: version of kubernetes used for kubernetes cluster
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+    default: ""
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    default: ""
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    default: ""
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   master_wait_handle:
@@ -210,6 +231,10 @@ resources:
             "$NO_PROXY": {get_param: no_proxy}
             "$KUBE_VERSION": {get_param: kube_version}
             "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
+            "$TRUSTEE_USER_ID": {get_param: trustee_user_id}
+            "$TRUSTEE_PASSWORD": {get_param: trustee_password}
+            "$TRUST_ID": {get_param: trust_id}
+            "$AUTH_URL": {get_param: auth_url}
 
   make_cert:
     type: OS::Heat::SoftwareConfig
diff --git a/magnum/templates/kubernetes/kubeminion.yaml b/magnum/templates/kubernetes/kubeminion.yaml
index 3ff3a5d640..ca6f98e0fd 100644
--- a/magnum/templates/kubernetes/kubeminion.yaml
+++ b/magnum/templates/kubernetes/kubeminion.yaml
@@ -170,6 +170,27 @@ parameters:
     type: string
     description: version of kubenetes used for kubernetes cluster
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+    default: ""
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    default: ""
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    default: ""
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   minion_wait_handle:
@@ -223,6 +244,10 @@ resources:
             $NO_PROXY: {get_param: no_proxy}
             $KUBE_VERSION: {get_param: kube_version}
             $WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
+            $TRUSTEE_USER_ID: {get_param: trustee_user_id}
+            $TRUSTEE_PASSWORD: {get_param: trustee_password}
+            $TRUST_ID: {get_param: trust_id}
+            $AUTH_URL: {get_param: auth_url}
 
   write_kubeconfig:
     type: OS::Heat::SoftwareConfig