Add domain specific driver support

This patch set allows for domain specific driver (ldap and sql) for keystone. Change-Id: Iad8e07fdfdb0e4abc96a7e8100467959ed275dfb
2017-12-22 09:16:28 -06:00 · 2017-12-22 09:16:28 -06:00 · 9173fc7f75
commit 9173fc7f75
parent e69957b2be
6 changed files with 109 additions and 3 deletions
--- a/keystone/templates/bin/_bootstrap.sh.tpl
+++ b/keystone/templates/bin/_bootstrap.sh.tpl
@ -17,4 +17,8 @@ limitations under the License.
 */}}

 set -ex
+{{- range $k, $v := .Values.conf.ks_domains }}
+openstack --debug domain create --or-show {{ $k }}
+keystone-manage domain_config_upload --domain-name {{ $k }} || true
+{{- end }}
 {{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}
--- a/keystone/templates/bin/_db-sync.sh.tpl
+++ b/keystone/templates/bin/_db-sync.sh.tpl
@ -19,7 +19,6 @@ limitations under the License.
 set -ex

 keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
-
 keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
    --bootstrap-username ${OS_USERNAME} \
    --bootstrap-password ${OS_PASSWORD} \
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@ -49,4 +49,8 @@ data:
 {{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  sso_callback_template.html: |+
 {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
+{{- range $k, $v := .Values.conf.ks_domains }}
+  keystone.{{ $k }}.conf: |+
+{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }}
+{{- end }}
 {{- end }}
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@ -43,7 +43,7 @@ spec:
 {{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
      containers:
        - name: keystone-bootstrap
-          image: {{ .Values.images.tags.bootstrap }}
+          image: {{ .Values.images.tags.keystone_bootstrap }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
@ -53,16 +53,52 @@ spec:
          command:
            - /tmp/bootstrap.sh
          volumeMounts:
+            - name: etckeystonedomains
+              mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
+            - name: etckeystone
+              mountPath: /etc/keystone
            - name: keystone-bin
              mountPath: /tmp/bootstrap.sh
              subPath: bootstrap.sh
              readOnly: true
+            - name: keystone-etc
+              mountPath: /etc/keystone/keystone.conf
+              subPath: keystone.conf
+              readOnly: true
+{{- range $k, $v := .Values.conf.ks_domains }}
+            - name: keystone-etc
+              mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
+              subPath: keystone.{{ $k }}.conf
+              readOnly: true
+{{- end }}
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+            - name: keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
+{{- end }}
+            - name: keystone-credential-keys
+              mountPath: {{ .Values.conf.keystone.credential.key_repository }}
 {{ if $mounts_keystone_bootstrap.volumeMounts }}{{ toYaml $mounts_keystone_bootstrap.volumeMounts | indent 12 }}{{ end }}
      volumes:
+        - name: etckeystone
+          emptyDir: {}
+        - name: etckeystonedomains
+          emptyDir: {}
+        - name: keystone-etc
+          configMap:
+            name: keystone-etc
+            defaultMode: 0444
        - name: keystone-bin
          configMap:
            name: keystone-bin
            defaultMode: 0555
+{{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: keystone-fernet-keys
+          secret:
+            secretName: keystone-fernet-keys
+{{- end }}
+        - name: keystone-credential-keys
+          secret:
+            secretName: keystone-credential-keys
 {{ if $mounts_keystone_bootstrap.volumes }}{{ toYaml $mounts_keystone_bootstrap.volumes | indent 9 }}{{ end }}
 {{- end }}
 {{- end }}
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -25,7 +25,7 @@ release_group: null

 images:
  tags:
-    bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
+    keystone_bootstrap: docker.io/kolla/ubuntu-source-keystone:3.0.3
    test: docker.io/kolla/ubuntu-source-rally:4.0.0
    db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
    keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
@ -262,6 +262,9 @@ conf:
      max_token_size: 255
    token:
      provider: fernet
+    identity:
+      domain_specific_drivers_enabled: True
+      domain_config_dir: /etc/keystonedomains
    fernet_tokens:
      key_repository: /etc/keystone/fernet-keys/
    credential:
@ -271,6 +274,12 @@ conf:
    cache:
      enabled: true
      backend: dogpile.cache.memcached
+  # NOTE(lamt) We can leverage multiple domains with different
+  # configurations as outlined in
+  # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
+  # A sample of the value override can be found in sample file:
+  # tools/overrides/example/keystone_domain_config.yaml
+  # ks_domains:
  paste:
    filter:debug:
      use: egg:oslo.middleware#debug
--- a/tools/overrides/example/keystone_domain_config.yaml
+++ b/tools/overrides/example/keystone_domain_config.yaml
@ -0,0 +1,54 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# MVP values for neutron using Linux Bridge.
+# This file contains overrides to launch a MVP deployment of neutron using
+# Linux Bridge for the OpenStack-Helm gates, and local development use.
+# It should be kept to the bare minimum required for this purpose.
+
+# This example sets the default domain to be LDAP based, and adds in a new
+# dbdomain that is SQL-backed.  Note that for this to work, you need to set
+# an admin (env: OS_USERNAME and OS_PASSWORD) that is valid in the LDAP.
+conf:
+  keystone:
+    identity:
+      driver: ldap
+      default_domain_id: default
+      domain_specific_drivers_enabled: True
+      domain_configurations_from_database: True
+      domain_config_dir: /etc/keystonedomains
+    ldap:
+      url: "ldap://ldap.openstack.svc.cluster.local:389"
+      user: "cn=admin,dc=cluster,dc=local"
+      password: password
+      suffix: "dc=cluster,dc=local"
+      user_attribute_ignore: enabled,email,tenants,default_project_id
+      query_scope: sub
+      user_enabled_emulation: True
+      user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
+      user_tree_dn: "ou=People,dc=cluster,dc=local"
+      user_enabled_mask: 2
+      user_enabled_default: 512
+      user_name_attribute: cn
+      user_id_attribute: sn
+      user_mail_attribute: mail
+      user_pass_attribute: userPassword
+      group_tree_dn: "ou=Groups,dc=cluster,dc=local"
+      user_allow_create: False
+      user_allow_delete: False
+      user_allow_update: False
+  ks_domains:
+    dbdomain:
+      identity:
+        driver: sql