From 6fe001361a02113aefb90502e858badbcfe8e954 Mon Sep 17 00:00:00 2001 From: Samuel Pilla Date: Tue, 16 Oct 2018 09:24:43 -0500 Subject: [PATCH] Add LDAP support for k8s-keystone-auth in gate This patch set changes the keystone in the k8s-keystone-auth to be backed by LDAP. It also updates the test to use the LDAP users instead of created users in the database. Co-Authored-By: Samuel Pilla Change-Id: Ia34dac51b36a300068ad5fd936c48b0f30821a52 Signed-off-by: Tin Lam --- tools/deployment/keystone-auth/070-keystone.sh | 2 +- tools/deployment/keystone-auth/080-check.sh | 15 ++++++--------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/tools/deployment/keystone-auth/070-keystone.sh b/tools/deployment/keystone-auth/070-keystone.sh index e82b53e5af..90cc8bc78b 100755 --- a/tools/deployment/keystone-auth/070-keystone.sh +++ b/tools/deployment/keystone-auth/070-keystone.sh @@ -17,4 +17,4 @@ set -xe #NOTE: Move into openstack-helm root dir & Run keystone deployment script -cd "${OSH_PATH}"; ./tools/deployment/developer/nfs/080-keystone.sh +cd "${OSH_PATH}"; ./tools/deployment/developer/ldap/080-keystone.sh diff --git a/tools/deployment/keystone-auth/080-check.sh b/tools/deployment/keystone-auth/080-check.sh index ead9da6417..5ee711b7b9 100755 --- a/tools/deployment/keystone-auth/080-check.sh +++ b/tools/deployment/keystone-auth/080-check.sh @@ -30,10 +30,6 @@ kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get secrets -n openstack -# create users -openstack user create --or-show --password demoPassword demoUser -openstack user create --or-show --password demoPassword kube-system-admin - # create project openstack project create --or-show openstack-system openstack project create --or-show demoProject @@ -43,15 +39,16 @@ openstack role create --or-show openstackRole openstack role create --or-show kube-system-admin # assign user role to project -openstack role add --project openstack-system --user demoUser --project-domain default --user-domain default openstackRole -openstack role add --project demoProject --user kube-system-admin --project-domain default --user-domain default kube-system-admin +openstack role add --project openstack-system --user bob --project-domain default --user-domain ldapdomain openstackRole +openstack role add --project demoProject --user alice --project-domain default --user-domain ldapdomain kube-system-admin unset OS_CLOUD export OS_AUTH_URL="http://keystone.openstack.svc.cluster.local/v3" export OS_IDENTITY_API_VERSION="3" export OS_PROJECT_NAME="openstack-system" -export OS_PASSWORD="demoPassword" -export OS_USERNAME="demoUser" +export OS_PASSWORD="password" +export OS_USERNAME="bob" +export OS_USER_DOMAIN_NAME="ldapdomain" # See this does fail as the policy does not allow for a non-admin user @@ -64,7 +61,7 @@ else exit 1 fi -export OS_USERNAME="kube-system-admin" +export OS_USERNAME="alice" export OS_PROJECT_NAME="demoProject" TOKEN=$(keystone_token) kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get ingress -n kube-system