Merge "Fix issues with [trustee] section of heat.conf"
This commit is contained in:
commit
6c90f49858
49
heat/templates/bin/_trusts.sh.tpl
Normal file
49
heat/templates/bin/_trusts.sh.tpl
Normal file
@ -0,0 +1,49 @@
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
set -ex
|
||||
|
||||
# Get IDs for filtering
|
||||
OS_PROJECT_ID=$(openstack project show -f value -c id ${OS_PROJECT_NAME})
|
||||
OS_USER_ID=$(openstack user show -f value -c id ${OS_USERNAME})
|
||||
SERVICE_OS_TRUSTEE_ID=$(openstack user show -f value -c id ${SERVICE_OS_TRUSTEE})
|
||||
|
||||
# Check if trust doesn't already exist
|
||||
openstack trust list -f value -c "Project ID" \
|
||||
-c "Trustee User ID" -c "Trustor User ID" | \
|
||||
grep "^${OS_PROJECT_ID} ${SERVICE_OS_TRUSTEE_ID} ${OS_USER_ID}$" && \
|
||||
exit 0
|
||||
|
||||
# If there are no roles specified...
|
||||
if [ -z "${SERVICE_OS_ROLES}" ]; then
|
||||
# ...Heat will try to delegate all of the roles that user has in the
|
||||
# project. Let's fetch them all and use that.
|
||||
readarray -t roles < <(openstack role assignment list -f value \
|
||||
-c "Role" --user="${OS_USERNAME}" --project="${OS_PROJECT_ID}")
|
||||
else
|
||||
# Split roles into an array
|
||||
IFS=',' read -r -a roles <<< "${SERVICE_OS_ROLES}"
|
||||
fi
|
||||
|
||||
# Create trust between trustor and trustee
|
||||
SERVICE_OS_TRUST_ID=$(openstack trust create -f value -c id \
|
||||
--project="${OS_PROJECT_NAME}" \
|
||||
${roles[@]/#/--role=} \
|
||||
"${OS_USERNAME}" \
|
||||
"${SERVICE_OS_TRUSTEE}")
|
||||
|
||||
# Display trust
|
||||
openstack trust show "${SERVICE_OS_TRUST_ID}"
|
@ -38,6 +38,8 @@ data:
|
||||
{{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
|
||||
ks-domain-user.sh: |+
|
||||
{{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
|
||||
trusts.sh: |+
|
||||
{{ tuple "bin/_trusts.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
heat-api.sh: |
|
||||
{{ tuple "bin/_heat-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
heat-cfn.sh: |
|
||||
|
54
heat/templates/job-trusts.yaml
Normal file
54
heat/templates/job-trusts.yaml
Normal file
@ -0,0 +1,54 @@
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.trusts }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: heat-trusts
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
initContainers:
|
||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: heat-trusts
|
||||
image: {{ $envAll.Values.images.ks_service }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- bash
|
||||
- /tmp/trusts.sh
|
||||
volumeMounts:
|
||||
- name: heat-bin
|
||||
mountPath: /tmp/trusts.sh
|
||||
subPath: trusts.sh
|
||||
readOnly: true
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_ROLES
|
||||
value: {{ .Values.conf.heat.default.heat.common.config.trusts_delegated_roles }}
|
||||
- name: SERVICE_OS_TRUSTEE
|
||||
value: {{ .Values.endpoints.identity.auth.trustee.username }}
|
||||
volumes:
|
||||
- name: heat-bin
|
||||
configMap:
|
||||
name: heat-bin
|
@ -12,7 +12,7 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Default values for keystone.
|
||||
# Default values for heat.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare name/value pairs to be passed into your templates.
|
||||
# name: value
|
||||
@ -52,7 +52,7 @@ conf:
|
||||
common:
|
||||
config:
|
||||
num_engine_workers: 4
|
||||
trusts_delegated_roles: _member_
|
||||
trusts_delegated_roles: ""
|
||||
keystone_authtoken:
|
||||
keystonemiddleware:
|
||||
auth_token:
|
||||
@ -62,7 +62,6 @@ conf:
|
||||
heat:
|
||||
common:
|
||||
context:
|
||||
auth_section: trustee
|
||||
auth_type: password
|
||||
auth_version: v3
|
||||
heat_api:
|
||||
@ -148,6 +147,12 @@ dependencies:
|
||||
services:
|
||||
- service: identity
|
||||
endpoint: internal
|
||||
trusts:
|
||||
jobs:
|
||||
- heat-ks-user
|
||||
services:
|
||||
- service: identity
|
||||
endpoint: internal
|
||||
api:
|
||||
jobs:
|
||||
- heat-db-sync
|
||||
@ -233,7 +238,7 @@ endpoints:
|
||||
stack_user:
|
||||
role: admin
|
||||
region_name: RegionOne
|
||||
username: heat-trust
|
||||
username: heat-domain
|
||||
password: password
|
||||
domain_name: heat
|
||||
hosts:
|
||||
@ -456,6 +461,13 @@ pod:
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
trusts:
|
||||
requests:
|
||||
memory: "124Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
|
||||
manifests:
|
||||
configmap_bin: true
|
||||
|
@ -56,9 +56,7 @@ openstack user show "${SERVICE_OS_USERID}"
|
||||
|
||||
# Manage role
|
||||
SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
|
||||
--domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
"${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
|
||||
--domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
"${SERVICE_OS_ROLE}" )
|
||||
|
||||
# Manage user role assignment
|
||||
|
Loading…
Reference in New Issue
Block a user