Add domain specific driver support

This patch set allows for domain specific driver (ldap and sql)
for keystone.

Change-Id: Iad8e07fdfdb0e4abc96a7e8100467959ed275dfb
This commit is contained in:
Tin Lam 2017-12-22 09:16:28 -06:00
parent e69957b2be
commit 9173fc7f75
6 changed files with 109 additions and 3 deletions

View File

@ -17,4 +17,8 @@ limitations under the License.
*/}}
set -ex
{{- range $k, $v := .Values.conf.ks_domains }}
openstack --debug domain create --or-show {{ $k }}
keystone-manage domain_config_upload --domain-name {{ $k }} || true
{{- end }}
{{ .Values.bootstrap.script | default "echo 'Not Enabled'" }}

View File

@ -19,7 +19,6 @@ limitations under the License.
set -ex
keystone-manage --config-file=/etc/keystone/keystone.conf db_sync
keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
--bootstrap-username ${OS_USERNAME} \
--bootstrap-password ${OS_PASSWORD} \

View File

@ -49,4 +49,8 @@ data:
{{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
sso_callback_template.html: |+
{{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
{{- range $k, $v := .Values.conf.ks_domains }}
keystone.{{ $k }}.conf: |+
{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }}
{{- end }}
{{- end }}

View File

@ -43,7 +43,7 @@ spec:
{{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: keystone-bootstrap
image: {{ .Values.images.tags.bootstrap }}
image: {{ .Values.images.tags.keystone_bootstrap }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
@ -53,16 +53,52 @@ spec:
command:
- /tmp/bootstrap.sh
volumeMounts:
- name: etckeystonedomains
mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
- name: etckeystone
mountPath: /etc/keystone
- name: keystone-bin
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: keystone-etc
mountPath: /etc/keystone/keystone.conf
subPath: keystone.conf
readOnly: true
{{- range $k, $v := .Values.conf.ks_domains }}
- name: keystone-etc
mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
subPath: keystone.{{ $k }}.conf
readOnly: true
{{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys
mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
{{- end }}
- name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
{{ if $mounts_keystone_bootstrap.volumeMounts }}{{ toYaml $mounts_keystone_bootstrap.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: etckeystone
emptyDir: {}
- name: etckeystonedomains
emptyDir: {}
- name: keystone-etc
configMap:
name: keystone-etc
defaultMode: 0444
- name: keystone-bin
configMap:
name: keystone-bin
defaultMode: 0555
{{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys
secret:
secretName: keystone-fernet-keys
{{- end }}
- name: keystone-credential-keys
secret:
secretName: keystone-credential-keys
{{ if $mounts_keystone_bootstrap.volumes }}{{ toYaml $mounts_keystone_bootstrap.volumes | indent 9 }}{{ end }}
{{- end }}
{{- end }}

View File

@ -25,7 +25,7 @@ release_group: null
images:
tags:
bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
keystone_bootstrap: docker.io/kolla/ubuntu-source-keystone:3.0.3
test: docker.io/kolla/ubuntu-source-rally:4.0.0
db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
@ -262,6 +262,9 @@ conf:
max_token_size: 255
token:
provider: fernet
identity:
domain_specific_drivers_enabled: True
domain_config_dir: /etc/keystonedomains
fernet_tokens:
key_repository: /etc/keystone/fernet-keys/
credential:
@ -271,6 +274,12 @@ conf:
cache:
enabled: true
backend: dogpile.cache.memcached
# NOTE(lamt) We can leverage multiple domains with different
# configurations as outlined in
# https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html.
# A sample of the value override can be found in sample file:
# tools/overrides/example/keystone_domain_config.yaml
# ks_domains:
paste:
filter:debug:
use: egg:oslo.middleware#debug

View File

@ -0,0 +1,54 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# MVP values for neutron using Linux Bridge.
# This file contains overrides to launch a MVP deployment of neutron using
# Linux Bridge for the OpenStack-Helm gates, and local development use.
# It should be kept to the bare minimum required for this purpose.
# This example sets the default domain to be LDAP based, and adds in a new
# dbdomain that is SQL-backed. Note that for this to work, you need to set
# an admin (env: OS_USERNAME and OS_PASSWORD) that is valid in the LDAP.
conf:
keystone:
identity:
driver: ldap
default_domain_id: default
domain_specific_drivers_enabled: True
domain_configurations_from_database: True
domain_config_dir: /etc/keystonedomains
ldap:
url: "ldap://ldap.openstack.svc.cluster.local:389"
user: "cn=admin,dc=cluster,dc=local"
password: password
suffix: "dc=cluster,dc=local"
user_attribute_ignore: enabled,email,tenants,default_project_id
query_scope: sub
user_enabled_emulation: True
user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
user_tree_dn: "ou=People,dc=cluster,dc=local"
user_enabled_mask: 2
user_enabled_default: 512
user_name_attribute: cn
user_id_attribute: sn
user_mail_attribute: mail
user_pass_attribute: userPassword
group_tree_dn: "ou=Groups,dc=cluster,dc=local"
user_allow_create: False
user_allow_delete: False
user_allow_update: False
ks_domains:
dbdomain:
identity:
driver: sql