Generate Keystone credentials for overcloud
Keystone recently forced users to generate Keystone credentials in /etc/keystone. The generation of credential can be done by keystone-manage tool but it would require to do it on one node, export the key into a storage system and collect the key on keystone servers. This approach will generate a uniq Keystone credential key and export two parameters: KeystoneCredential0 and KeystoneCredential1 that we will use in puppet-keystone and Hiera to define the static content of the keys. It will allow us to do multinode deployments with the same keys. This is a first iteration of Keystone credential supports. It doesn't support rotations yet. Change-Id: Ibca678b8bf222ecdef6615e34553598be3e55bf0
This commit is contained in:
Emilien Macchi
@@ -524,6 +524,13 @@ class TestCreateCephxKey(TestCase):
|
||||
self.assertEqual(len(key), 40)
|
||||
|
||||
|
||||
class TestCreateKeystoneCredential(TestCase):
|
||||
|
||||
def test_create_keystone_credential(self):
|
||||
key = utils.create_keystone_credential()
|
||||
self.assertEqual(len(key), 44)
|
||||
|
||||
|
||||
class TestNodeGetCapabilities(TestCase):
|
||||
def test_with_capabilities(self):
|
||||
node = mock.Mock(properties={'capabilities': 'x:y,foo:bar'})
|
||||
|
||||
@@ -91,8 +91,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
@mock.patch('tripleoclient.utils.check_hypervisor_stats',
|
||||
autospec=True)
|
||||
@mock.patch('uuid.uuid1', autospec=True)
|
||||
@mock.patch('tripleoclient.utils.create_keystone_credential',
|
||||
autospec=True)
|
||||
@mock.patch('time.time', autospec=True)
|
||||
def test_tht_scale(self, mock_time, mock_uuid1,
|
||||
def test_tht_scale(self, mock_time, mock_creds, mock_uuid1,
|
||||
mock_check_hypervisor_stats, mock_get_key,
|
||||
mock_create_env, generate_certs_mock,
|
||||
mock_get_templte_contents, mock_process_multiple_env,
|
||||
@@ -114,6 +116,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
]
|
||||
|
||||
mock_uuid1.return_value = "uuid"
|
||||
mock_creds.return_value = "key"
|
||||
mock_time.return_value = 123456789
|
||||
|
||||
mock_generate_overcloud_passwords.return_value = self._get_passwords()
|
||||
@@ -173,6 +176,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
'HypervisorNeutronPhysicalBridge': 'br-ex',
|
||||
'HypervisorNeutronPublicInterface': 'nic1',
|
||||
'IronicPassword': 'password',
|
||||
'KeystoneCredential0': 'key',
|
||||
'KeystoneCredential1': 'key',
|
||||
'ManilaPassword': 'password',
|
||||
'MistralPassword': 'password',
|
||||
'MysqlClustercheckPassword': 'password',
|
||||
@@ -259,8 +264,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
@mock.patch('tripleoclient.utils.check_hypervisor_stats',
|
||||
autospec=True)
|
||||
@mock.patch('uuid.uuid1', autospec=True)
|
||||
@mock.patch('tripleoclient.utils.create_keystone_credential',
|
||||
autospec=True)
|
||||
@mock.patch('time.time', autospec=True)
|
||||
def test_tht_deploy(self, mock_time, mock_uuid1,
|
||||
def test_tht_deploy(self, mock_time, mock_creds, mock_uuid1,
|
||||
mock_check_hypervisor_stats, mock_get_key,
|
||||
mock_create_env, generate_certs_mock,
|
||||
mock_get_templte_contents, mock_process_multiple_env,
|
||||
@@ -282,6 +289,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
]
|
||||
|
||||
mock_uuid1.return_value = "uuid"
|
||||
mock_creds.return_value = "key"
|
||||
mock_time.return_value = 123456789
|
||||
|
||||
mock_generate_overcloud_passwords.return_value = self._get_passwords()
|
||||
@@ -344,6 +352,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
'HypervisorNeutronPhysicalBridge': 'br-ex',
|
||||
'HypervisorNeutronPublicInterface': 'nic1',
|
||||
'IronicPassword': 'password',
|
||||
'KeystoneCredential0': 'key',
|
||||
'KeystoneCredential1': 'key',
|
||||
'ManilaPassword': 'password',
|
||||
'MistralPassword': 'password',
|
||||
'MysqlClustercheckPassword': 'password',
|
||||
@@ -1196,8 +1206,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
@mock.patch('tripleoclient.utils.check_hypervisor_stats',
|
||||
autospec=True)
|
||||
@mock.patch('uuid.uuid1', autospec=True)
|
||||
@mock.patch('tripleoclient.utils.create_keystone_credential',
|
||||
autospec=True)
|
||||
@mock.patch('time.time', autospec=True)
|
||||
def test_tht_deploy_with_ntp(self, mock_time, mock_uuid1,
|
||||
def test_tht_deploy_with_ntp(self, mock_time, mock_creds, mock_uuid1,
|
||||
mock_check_hypervisor_stats,
|
||||
mock_get_key, mock_create_env,
|
||||
generate_certs_mock,
|
||||
@@ -1227,6 +1239,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
]
|
||||
|
||||
mock_uuid1.return_value = "uuid"
|
||||
mock_creds.return_value = "key"
|
||||
mock_time.return_value = 123456789
|
||||
|
||||
mock_generate_overcloud_passwords.return_value = self._get_passwords()
|
||||
@@ -1294,6 +1307,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
|
||||
'HypervisorNeutronPhysicalBridge': 'br-ex',
|
||||
'HypervisorNeutronPublicInterface': 'nic1',
|
||||
'IronicPassword': 'password',
|
||||
'KeystoneCredential0': 'key',
|
||||
'KeystoneCredential1': 'key',
|
||||
'ManilaPassword': 'password',
|
||||
'MistralPassword': 'password',
|
||||
'MysqlClustercheckPassword': 'password',
|
||||
|
||||
@@ -552,6 +552,10 @@ def create_cephx_key():
|
||||
return base64.b64encode(header + key)
|
||||
|
||||
|
||||
def create_keystone_credential():
|
||||
return base64.urlsafe_b64encode(os.urandom(32))
|
||||
|
||||
|
||||
def run_shell(cmd):
|
||||
return subprocess.call([cmd], shell=True)
|
||||
|
||||
|
||||
@@ -191,7 +191,9 @@ class DeployOvercloud(command.Command):
|
||||
|
||||
if stack_is_new:
|
||||
parameters.update({
|
||||
'CephClusterFSID': six.text_type(uuid.uuid1())})
|
||||
'CephClusterFSID': six.text_type(uuid.uuid1()),
|
||||
'KeystoneCredential0': utils.create_keystone_credential(),
|
||||
'KeystoneCredential1': utils.create_keystone_credential()})
|
||||
|
||||
return parameters
|
||||
|
||||
|
||||
Reference in New Issue
Block a user