d8df9d0c36
With the new config option `keystone_auth_default_policy`, cloud admin can set a default keystone auth policy for k8s cluster when the keystone auth is enabled. As a result, user can use their current keystone user to access k8s cluster as long as they're assigned correct roles, and they will get the pre-defined permissions set by the cloud provider. The default policy now is based on the v2 format recently introduced in k8s-keystone-auth which is getting more useful now. For example, in v1 it doesn't support a policy for user to access resources from all namespaces but kube-system, but v2 can do that. NOTE: Now we're using openstackmagnum dockerhub repo until CPO team fixing their image release issue. Task: 30069 Story: 1755770 Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
421 lines
15 KiB
Bash
421 lines
15 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/magnum
|
|
# Functions to control the configuration and operation of the **magnum** service
|
|
|
|
# Dependencies:
|
|
#
|
|
# - ``functions`` file
|
|
# - ``DEST``, ``DATA_DIR``, ``STACK_USER`` must be defined
|
|
# - ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
|
|
|
|
# ``stack.sh`` calls the entry points in this order:
|
|
#
|
|
# - install_magnum
|
|
# - configure_magnum
|
|
# - create_magnum_conf
|
|
# - init_magnum
|
|
# - magnum_register_image
|
|
# - start_magnum
|
|
# - configure_iptables_magnum
|
|
# - configure_apache_magnum
|
|
# - stop_magnum
|
|
# - cleanup_magnum
|
|
|
|
# Save trace setting
|
|
XTRACE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
|
|
# Defaults
|
|
# --------
|
|
|
|
# Set up default directories
|
|
MAGNUM_REPO=${MAGNUM_REPO:-${GIT_BASE}/openstack/magnum.git}
|
|
MAGNUM_BRANCH=${MAGNUM_BRANCH:-master}
|
|
MAGNUM_DIR=$DEST/magnum
|
|
|
|
GITREPO["python-magnumclient"]=${MAGNUMCLIENT_REPO:-${GIT_BASE}/openstack/python-magnumclient.git}
|
|
GITBRANCH["python-magnumclient"]=${MAGNUMCLIENT_BRANCH:-master}
|
|
GITDIR["python-magnumclient"]=$DEST/python-magnumclient
|
|
|
|
MAGNUM_STATE_PATH=${MAGNUM_STATE_PATH:=$DATA_DIR/magnum}
|
|
MAGNUM_AUTH_CACHE_DIR=${MAGNUM_AUTH_CACHE_DIR:-/var/cache/magnum}
|
|
MAGNUM_CERTIFICATE_CACHE_DIR=${MAGNUM_CERTIFICATE_CACHE_DIR:-/var/lib/magnum/certificate-cache}
|
|
|
|
MAGNUM_CONF_DIR=/etc/magnum
|
|
MAGNUM_CONF=$MAGNUM_CONF_DIR/magnum.conf
|
|
MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini
|
|
MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY=$MAGNUM_CONF_DIR/k8s_keystone_auth_default_policy.json
|
|
MAGNUM_POLICY=$MAGNUM_CONF_DIR/policy.yaml
|
|
|
|
if is_ssl_enabled_service "magnum" || is_service_enabled tls-proxy; then
|
|
MAGNUM_SERVICE_PROTOCOL="https"
|
|
fi
|
|
|
|
# Public facing bits
|
|
MAGNUM_SERVICE_HOST=${MAGNUM_SERVICE_HOST:-$HOST_IP}
|
|
MAGNUM_SERVICE_PORT=${MAGNUM_SERVICE_PORT:-9511}
|
|
MAGNUM_SERVICE_PORT_INT=${MAGNUM_SERVICE_PORT_INT:-19511}
|
|
MAGNUM_SERVICE_PROTOCOL=${MAGNUM_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
|
|
|
MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD=${MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD:-secret}
|
|
|
|
MAGNUM_SWIFT_REGISTRY_CONTAINER=${MAGNUM_SWIFT_REGISTRY_CONTAINER:-docker_registry}
|
|
|
|
# Support entry points installation of console scripts
|
|
if [[ -d $MAGNUM_DIR/bin ]]; then
|
|
MAGNUM_BIN_DIR=$MAGNUM_DIR/bin
|
|
else
|
|
MAGNUM_BIN_DIR=$(get_python_exec_prefix)
|
|
fi
|
|
|
|
MAGNUM_CONFIGURE_IPTABLES=${MAGNUM_CONFIGURE_IPTABLES:-True}
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# Test if any magnum services are enabled
|
|
# is_magnum_enabled
|
|
function is_magnum_enabled {
|
|
[[ ,${ENABLED_SERVICES} =~ ,"magnum-" ]] && return 0
|
|
return 1
|
|
}
|
|
# cleanup_magnum() - Remove residual data files, anything left over from previous
|
|
# runs that a clean run would need to clean up
|
|
function cleanup_magnum {
|
|
sudo rm -rf $MAGNUM_STATE_PATH $MAGNUM_AUTH_CACHE_DIR $MAGNUM_CERTIFICATE_CACHE_DIR
|
|
}
|
|
|
|
# configure_magnum() - Set config files, create data dirs, etc
|
|
function configure_magnum {
|
|
# Put config files in ``/etc/magnum`` for everyone to find
|
|
if [[ ! -d $MAGNUM_CONF_DIR ]]; then
|
|
sudo mkdir -p $MAGNUM_CONF_DIR
|
|
sudo chown $STACK_USER $MAGNUM_CONF_DIR
|
|
fi
|
|
|
|
# Rebuild the config file from scratch
|
|
create_magnum_conf
|
|
|
|
create_api_paste_conf
|
|
|
|
create_k8s_keystone_auth_default_poliy
|
|
}
|
|
|
|
# create_magnum_accounts() - Set up common required magnum accounts
|
|
#
|
|
# Project User Roles
|
|
# ------------------------------------------------------------------
|
|
# SERVICE_PROJECT_NAME magnum service
|
|
function create_magnum_accounts {
|
|
|
|
create_service_user "magnum" "admin"
|
|
|
|
local magnum_service=$(get_or_create_service "magnum" \
|
|
"container-infra" "Container Infrastructure Management Service")
|
|
get_or_create_endpoint $magnum_service \
|
|
"$REGION_NAME" \
|
|
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \
|
|
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \
|
|
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1"
|
|
|
|
# Create for Kubernetes Keystone auth
|
|
get_or_create_role k8s_admin
|
|
get_or_create_role k8s_developer
|
|
get_or_create_role k8s_viewer
|
|
}
|
|
|
|
# create_magnum_conf() - Create a new magnum.conf file
|
|
function create_magnum_conf {
|
|
|
|
# (Re)create ``magnum.conf``
|
|
rm -f $MAGNUM_CONF
|
|
HOSTNAME=`hostname`
|
|
iniset $MAGNUM_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL"
|
|
iniset $MAGNUM_CONF DEFAULT transport_url $(get_transport_url)
|
|
iniset $MAGNUM_CONF DEFAULT host "$HOSTNAME"
|
|
|
|
iniset $MAGNUM_CONF database connection `database_connection_url magnum`
|
|
iniset $MAGNUM_CONF api host "$MAGNUM_SERVICE_HOST"
|
|
if is_service_enabled tls-proxy; then
|
|
iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT_INT"
|
|
iniset $MAGNUM_CONF drivers verify_ca true
|
|
iniset $MAGNUM_CONF drivers openstack_ca_file $SSL_BUNDLE_FILE
|
|
else
|
|
iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT"
|
|
iniset $MAGNUM_CONF drivers verify_ca false
|
|
fi
|
|
|
|
iniset $MAGNUM_CONF cluster temp_cache_dir $MAGNUM_CERTIFICATE_CACHE_DIR
|
|
|
|
iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY
|
|
|
|
iniset $MAGNUM_CONF keystone_auth auth_type password
|
|
iniset $MAGNUM_CONF keystone_auth username magnum
|
|
iniset $MAGNUM_CONF keystone_auth password $SERVICE_PASSWORD
|
|
iniset $MAGNUM_CONF keystone_auth project_name $SERVICE_PROJECT_NAME
|
|
iniset $MAGNUM_CONF keystone_auth project_domain_id default
|
|
iniset $MAGNUM_CONF keystone_auth user_domain_id default
|
|
|
|
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
|
|
|
|
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_AUTH_URI_V3
|
|
|
|
# FIXME(pauloewerton): keystone_authtoken section is deprecated. Remove it
|
|
# after deprecation period.
|
|
iniset $MAGNUM_CONF keystone_authtoken www_authenticate_uri $KEYSTONE_SERVICE_URI_V3
|
|
iniset $MAGNUM_CONF keystone_authtoken auth_url $KEYSTONE_AUTH_URI_V3
|
|
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
|
|
|
|
if is_fedora || is_suse; then
|
|
# magnum defaults to /usr/local/bin, but fedora and suse pip like to
|
|
# install things in /usr/bin
|
|
iniset $MAGNUM_CONF DEFAULT bindir "/usr/bin"
|
|
fi
|
|
|
|
if [ -n "$MAGNUM_STATE_PATH" ]; then
|
|
iniset $MAGNUM_CONF DEFAULT state_path "$MAGNUM_STATE_PATH"
|
|
iniset $MAGNUM_CONF oslo_concurrency lock_path "$MAGNUM_STATE_PATH"
|
|
fi
|
|
|
|
if [ "$USE_SYSTEMD" != "False" ]; then
|
|
setup_systemd_logging $MAGNUM_CONF
|
|
fi
|
|
|
|
# Format logging
|
|
if [ "$LOG_COLOR" == "True" ] && [ "$USE_SYSTEMD" == "False" ]; then
|
|
setup_colorized_logging $MAGNUM_CONF DEFAULT
|
|
fi
|
|
|
|
# Register SSL certificates if provided
|
|
if is_ssl_enabled_service magnum; then
|
|
ensure_certificates MAGNUM
|
|
|
|
iniset $MAGNUM_CONF DEFAULT ssl_cert_file "$MAGNUM_SSL_CERT"
|
|
iniset $MAGNUM_CONF DEFAULT ssl_key_file "$MAGNUM_SSL_KEY"
|
|
|
|
iniset $MAGNUM_CONF DEFAULT enabled_ssl_apis "$MAGNUM_ENABLED_APIS"
|
|
fi
|
|
|
|
if is_service_enabled ceilometer; then
|
|
iniset $MAGNUM_CONF oslo_messaging_notifications driver "messaging"
|
|
fi
|
|
|
|
if is_service_enabled barbican; then
|
|
iniset $MAGNUM_CONF certificates cert_manager_type "barbican"
|
|
else
|
|
iniset $MAGNUM_CONF certificates cert_manager_type "x509keypair"
|
|
fi
|
|
|
|
trustee_domain_id=$(get_or_create_domain magnum 'Owns users and projects created by magnum')
|
|
trustee_domain_admin_id=$(get_or_create_user trustee_domain_admin $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD $trustee_domain_id)
|
|
openstack --os-auth-url $KEYSTONE_SERVICE_URI_V3 \
|
|
--os-identity-api-version 3 role add \
|
|
--user $trustee_domain_admin_id --domain $trustee_domain_id \
|
|
admin
|
|
iniset $MAGNUM_CONF trust cluster_user_trust True
|
|
iniset $MAGNUM_CONF trust trustee_domain_name magnum
|
|
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
|
|
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
|
|
iniset $MAGNUM_CONF trust trustee_keystone_interface public
|
|
iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
|
|
|
|
if is_service_enabled swift; then
|
|
iniset $MAGNUM_CONF docker_registry swift_region $REGION_NAME
|
|
iniset $MAGNUM_CONF docker_registry swift_registry_container $MAGNUM_SWIFT_REGISTRY_CONTAINER
|
|
fi
|
|
|
|
# Get the default volume type from cinder.conf and set the coresponding
|
|
# default in magnum.conf
|
|
default_volume_type=$(iniget /etc/cinder/cinder.conf DEFAULT default_volume_type)
|
|
iniset $MAGNUM_CONF cinder default_docker_volume_type $default_volume_type
|
|
iniset $MAGNUM_CONF drivers send_cluster_metrics False
|
|
|
|
iniset $MAGNUM_CONF kubernetes keystone_auth_default_policy $MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY
|
|
}
|
|
|
|
function create_api_paste_conf {
|
|
# copy api_paste.ini
|
|
cp $MAGNUM_DIR/etc/magnum/api-paste.ini $MAGNUM_API_PASTE
|
|
}
|
|
|
|
function create_k8s_keystone_auth_default_poliy {
|
|
cp $MAGNUM_DIR/etc/magnum/keystone_auth_default_policy.sample $MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY
|
|
}
|
|
|
|
# create_magnum_cache_dir() - Part of the init_magnum() process
|
|
function create_magnum_cache_dir {
|
|
# Create cache dir
|
|
sudo mkdir -p $1
|
|
sudo chown $STACK_USER $1
|
|
rm -f $1/*
|
|
}
|
|
|
|
|
|
# init_magnum() - Initialize databases, etc.
|
|
function init_magnum {
|
|
# Only do this step once on the API node for an entire cluster.
|
|
if is_service_enabled $DATABASE_BACKENDS && is_service_enabled magnum-api; then
|
|
# (Re)create magnum database
|
|
recreate_database magnum
|
|
|
|
# Migrate magnum database
|
|
$MAGNUM_BIN_DIR/magnum-db-manage upgrade
|
|
fi
|
|
create_magnum_cache_dir $MAGNUM_AUTH_CACHE_DIR
|
|
create_magnum_cache_dir $MAGNUM_CERTIFICATE_CACHE_DIR
|
|
}
|
|
|
|
# magnum_register_image - Register heat image for magnum with property os_distro
|
|
function magnum_register_image {
|
|
local magnum_image_property="--property os_distro="
|
|
|
|
local atomic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io 'atomic' || true;)"
|
|
if [ ! -z "$atomic" ]; then
|
|
magnum_image_property=$magnum_image_property"fedora-atomic"
|
|
fi
|
|
local ubuntu="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "ubuntu" || true;)"
|
|
if [ ! -z "$ubuntu" ]; then
|
|
magnum_image_property=$magnum_image_property"ubuntu"
|
|
fi
|
|
local coreos="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "coreos" || true;)"
|
|
if [ ! -z "$coreos" ]; then
|
|
magnum_image_property=$magnum_image_property"coreos"
|
|
fi
|
|
# os_distro property for fedora ironic image
|
|
local fedora_ironic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -i "ironic" \
|
|
| grep -io "fedora" || true;)"
|
|
if [ ! -z "$fedora_ironic" ]; then
|
|
magnum_image_property=$magnum_image_property"fedora"
|
|
fi
|
|
|
|
# get the image name
|
|
local image_filename=$(basename "$MAGNUM_GUEST_IMAGE_URL")
|
|
local image_name=""
|
|
for extension in "tgz" "img" "qcow2" "iso" "vhd" "vhdx" "tar.gz" "img.gz" "img.bz2" "vhd.gz" "vhdx.gz"
|
|
do
|
|
if [ $(expr match "${image_filename}" ".*\.${extension}$") -ne 0 ]; then
|
|
image_name=$(basename "$image_filename" ".${extension}")
|
|
break
|
|
fi
|
|
done
|
|
if [ -z ${image_name} ]; then
|
|
echo "Unknown image extension in $image_filename, supported extensions: tgz, img, qcow2, iso, vhd, vhdx, tar.gz, img.gz, img.bz2, vhd.gz, vhdx.gz"; false
|
|
fi
|
|
|
|
openstack --os-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT --os-image-api-version 2 image set $image_name $magnum_image_property
|
|
}
|
|
|
|
# install_magnumclient() - Collect source and prepare
|
|
function install_magnumclient {
|
|
if use_library_from_git "python-magnumclient"; then
|
|
git_clone_by_name "python-magnumclient"
|
|
setup_dev_lib "python-magnumclient"
|
|
sudo install -D -m 0644 -o $STACK_USER {${GITDIR["python-magnumclient"]}/tools/,/etc/bash_completion.d/}magnum.bash_completion
|
|
fi
|
|
}
|
|
|
|
# install_magnum() - Collect source and prepare
|
|
function install_magnum {
|
|
git_clone $MAGNUM_REPO $MAGNUM_DIR $MAGNUM_BRANCH
|
|
setup_develop $MAGNUM_DIR
|
|
}
|
|
|
|
# start_magnum_api() - Start the API process ahead of other things
|
|
function start_magnum_api {
|
|
# Get right service port for testing
|
|
local service_port=$MAGNUM_SERVICE_PORT
|
|
local service_protocol=$MAGNUM_SERVICE_PROTOCOL
|
|
if is_service_enabled tls-proxy; then
|
|
service_port=$MAGNUM_SERVICE_PORT_INT
|
|
service_protocol="http"
|
|
fi
|
|
|
|
run_process magnum-api "$MAGNUM_BIN_DIR/magnum-api"
|
|
echo "Waiting for magnum-api to start..."
|
|
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$MAGNUM_SERVICE_HOST:$service_port; then
|
|
die $LINENO "magnum-api did not start"
|
|
fi
|
|
|
|
# Start proxies if enabled
|
|
if is_service_enabled tls-proxy; then
|
|
start_tls_proxy magnum '*' $MAGNUM_SERVICE_PORT $MAGNUM_SERVICE_HOST $MAGNUM_SERVICE_PORT_INT &
|
|
fi
|
|
}
|
|
|
|
|
|
# configure_iptables_magnum() - Configure the IP table rules for Magnum
|
|
function configure_iptables_magnum {
|
|
if [ "$MAGNUM_CONFIGURE_IPTABLES" != "False" ]; then
|
|
ROUTE_TO_INTERNET=$(ip route get 8.8.8.8)
|
|
OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}')
|
|
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
|
|
# bay nodes will access magnum-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
|
|
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
|
|
# allow access to keystone etc (http and https)
|
|
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 80 -j ACCEPT || true
|
|
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 443 -j ACCEPT || true
|
|
fi
|
|
}
|
|
|
|
|
|
function configure_apache_magnum {
|
|
# Set redirection for kubernetes openstack cloud provider
|
|
# FIXME: When [1] is in kubernetes, we won't need the redirection anymore.
|
|
# [1] https://github.com/gophercloud/gophercloud/pull/423
|
|
HTACCESS_PATH=/var/www/html
|
|
if is_ubuntu; then
|
|
OVERRIDE_CONF_FILE=/etc/apache2/apache2.conf
|
|
elif is_fedora; then
|
|
OVERRIDE_CONF_FILE=/etc/httpd/conf/httpd.conf
|
|
fi
|
|
# If horizon is enabled then we need
|
|
if is_service_enabled horizon; then
|
|
HTACCESS_PATH=$DEST/horizon/.blackhole
|
|
sudo tee -a $APACHE_CONF_DIR/horizon.conf <<EOF
|
|
<Directory $HTACCESS_PATH>
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride all
|
|
Require all granted
|
|
</Directory>
|
|
EOF
|
|
else
|
|
sudo tee -a $OVERRIDE_CONF_FILE <<EOF
|
|
<Directory $HTACCESS_PATH>
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride all
|
|
Require all granted
|
|
</Directory>
|
|
EOF
|
|
fi
|
|
|
|
sudo mkdir -p $HTACCESS_PATH
|
|
sudo tee $HTACCESS_PATH/.htaccess <<EOF
|
|
RewriteEngine on
|
|
RewriteRule ^v2\.0(.*) /identity/v2.0\$1
|
|
RewriteRule ^v3(.*) /identity/v3\$1
|
|
EOF
|
|
enable_apache_mod rewrite
|
|
}
|
|
|
|
|
|
# start_magnum() - Start running processes, including screen
|
|
function start_magnum {
|
|
|
|
# ``run_process`` checks ``is_service_enabled``, it is not needed here
|
|
start_magnum_api
|
|
run_process magnum-cond "$MAGNUM_BIN_DIR/magnum-conductor"
|
|
}
|
|
|
|
# stop_magnum() - Stop running processes (non-screen)
|
|
function stop_magnum {
|
|
for serv in magnum-api magnum-cond; do
|
|
stop_process $serv
|
|
done
|
|
}
|
|
|
|
|
|
# Restore xtrace
|
|
$XTRACE
|