openstack/python-tripleoclient
Code Issues Proposed changes

Generate Keystone credentials for overcloud

Browse Source 
Keystone recently forced users to generate Keystone credentials in
/etc/keystone. The generation of credential can be done by
keystone-manage tool but it would require to do it on one node, export
the key into a storage system and collect the key on keystone servers.

This approach will generate a uniq Keystone credential key and export
two parameters: KeystoneCredential0 and KeystoneCredential1 that we will
use in puppet-keystone and Hiera to define the static content of the
keys.

It will allow us to do multinode deployments with the same keys.

This is a first iteration of Keystone credential supports. It doesn't
support rotations yet.

Change-Id: Ibca678b8bf222ecdef6615e34553598be3e55bf0
This commit is contained in:
Emilien Macchi
2016-09-06 14:32:24 -04:00
parent f1efe9d23b
commit 5f0694a64e
4 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
tripleoclient/tests/test_utils.py
View File

@@ -524,6 +524,13 @@ class TestCreateCephxKey(TestCase):
self.assertEqual(len(key), 40) self.assertEqual(len(key), 40)
class TestCreateKeystoneCredential(TestCase):
def test_create_keystone_credential(self):
key = utils.create_keystone_credential()
self.assertEqual(len(key), 44)
class TestNodeGetCapabilities(TestCase): class TestNodeGetCapabilities(TestCase):
def test_with_capabilities(self): def test_with_capabilities(self):
node = mock.Mock(properties={'capabilities': 'x:y,foo:bar'}) node = mock.Mock(properties={'capabilities': 'x:y,foo:bar'})

21
tripleoclient/tests/v1/overcloud_deploy/test_overcloud_deploy.py
View File

@@ -91,8 +91,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
@mock.patch('tripleoclient.utils.check_hypervisor_stats', @mock.patch('tripleoclient.utils.check_hypervisor_stats',
autospec=True) autospec=True)
@mock.patch('uuid.uuid1', autospec=True) @mock.patch('uuid.uuid1', autospec=True)
@mock.patch('tripleoclient.utils.create_keystone_credential',
autospec=True)
@mock.patch('time.time', autospec=True) @mock.patch('time.time', autospec=True)
def test_tht_scale(self, mock_time, mock_uuid1, def test_tht_scale(self, mock_time, mock_creds, mock_uuid1,
mock_check_hypervisor_stats, mock_get_key, mock_check_hypervisor_stats, mock_get_key,
mock_create_env, generate_certs_mock, mock_create_env, generate_certs_mock,
mock_get_templte_contents, mock_process_multiple_env, mock_get_templte_contents, mock_process_multiple_env,
@@ -114,6 +116,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
] ]
mock_uuid1.return_value = "uuid" mock_uuid1.return_value = "uuid"
mock_creds.return_value = "key"
mock_time.return_value = 123456789 mock_time.return_value = 123456789
mock_generate_overcloud_passwords.return_value = self._get_passwords() mock_generate_overcloud_passwords.return_value = self._get_passwords()
@@ -173,6 +176,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
'HypervisorNeutronPhysicalBridge': 'br-ex', 'HypervisorNeutronPhysicalBridge': 'br-ex',
'HypervisorNeutronPublicInterface': 'nic1', 'HypervisorNeutronPublicInterface': 'nic1',
'IronicPassword': 'password', 'IronicPassword': 'password',
'KeystoneCredential0': 'key',
'KeystoneCredential1': 'key',
'ManilaPassword': 'password', 'ManilaPassword': 'password',
'MistralPassword': 'password', 'MistralPassword': 'password',
'MysqlClustercheckPassword': 'password', 'MysqlClustercheckPassword': 'password',
@@ -259,8 +264,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
@mock.patch('tripleoclient.utils.check_hypervisor_stats', @mock.patch('tripleoclient.utils.check_hypervisor_stats',
autospec=True) autospec=True)
@mock.patch('uuid.uuid1', autospec=True) @mock.patch('uuid.uuid1', autospec=True)
@mock.patch('tripleoclient.utils.create_keystone_credential',
autospec=True)
@mock.patch('time.time', autospec=True) @mock.patch('time.time', autospec=True)
def test_tht_deploy(self, mock_time, mock_uuid1, def test_tht_deploy(self, mock_time, mock_creds, mock_uuid1,
mock_check_hypervisor_stats, mock_get_key, mock_check_hypervisor_stats, mock_get_key,
mock_create_env, generate_certs_mock, mock_create_env, generate_certs_mock,
mock_get_templte_contents, mock_process_multiple_env, mock_get_templte_contents, mock_process_multiple_env,
@@ -282,6 +289,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
] ]
mock_uuid1.return_value = "uuid" mock_uuid1.return_value = "uuid"
mock_creds.return_value = "key"
mock_time.return_value = 123456789 mock_time.return_value = 123456789
mock_generate_overcloud_passwords.return_value = self._get_passwords() mock_generate_overcloud_passwords.return_value = self._get_passwords()
@@ -344,6 +352,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
'HypervisorNeutronPhysicalBridge': 'br-ex', 'HypervisorNeutronPhysicalBridge': 'br-ex',
'HypervisorNeutronPublicInterface': 'nic1', 'HypervisorNeutronPublicInterface': 'nic1',
'IronicPassword': 'password', 'IronicPassword': 'password',
'KeystoneCredential0': 'key',
'KeystoneCredential1': 'key',
'ManilaPassword': 'password', 'ManilaPassword': 'password',
'MistralPassword': 'password', 'MistralPassword': 'password',
'MysqlClustercheckPassword': 'password', 'MysqlClustercheckPassword': 'password',
@@ -1196,8 +1206,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
@mock.patch('tripleoclient.utils.check_hypervisor_stats', @mock.patch('tripleoclient.utils.check_hypervisor_stats',
autospec=True) autospec=True)
@mock.patch('uuid.uuid1', autospec=True) @mock.patch('uuid.uuid1', autospec=True)
@mock.patch('tripleoclient.utils.create_keystone_credential',
autospec=True)
@mock.patch('time.time', autospec=True) @mock.patch('time.time', autospec=True)
def test_tht_deploy_with_ntp(self, mock_time, mock_uuid1, def test_tht_deploy_with_ntp(self, mock_time, mock_creds, mock_uuid1,
mock_check_hypervisor_stats, mock_check_hypervisor_stats,
mock_get_key, mock_create_env, mock_get_key, mock_create_env,
generate_certs_mock, generate_certs_mock,
@@ -1227,6 +1239,7 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
] ]
mock_uuid1.return_value = "uuid" mock_uuid1.return_value = "uuid"
mock_creds.return_value = "key"
mock_time.return_value = 123456789 mock_time.return_value = 123456789
mock_generate_overcloud_passwords.return_value = self._get_passwords() mock_generate_overcloud_passwords.return_value = self._get_passwords()
@@ -1294,6 +1307,8 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
'HypervisorNeutronPhysicalBridge': 'br-ex', 'HypervisorNeutronPhysicalBridge': 'br-ex',
'HypervisorNeutronPublicInterface': 'nic1', 'HypervisorNeutronPublicInterface': 'nic1',
'IronicPassword': 'password', 'IronicPassword': 'password',
'KeystoneCredential0': 'key',
'KeystoneCredential1': 'key',
'ManilaPassword': 'password', 'ManilaPassword': 'password',
'MistralPassword': 'password', 'MistralPassword': 'password',
'MysqlClustercheckPassword': 'password', 'MysqlClustercheckPassword': 'password',

4
tripleoclient/utils.py
View File

@@ -552,6 +552,10 @@ def create_cephx_key():
return base64.b64encode(header + key) return base64.b64encode(header + key)
def create_keystone_credential():
return base64.urlsafe_b64encode(os.urandom(32))
def run_shell(cmd): def run_shell(cmd):
return subprocess.call([cmd], shell=True) return subprocess.call([cmd], shell=True)

4
tripleoclient/v1/overcloud_deploy.py
View File

@@ -191,7 +191,9 @@ class DeployOvercloud(command.Command):
if stack_is_new: if stack_is_new:
parameters.update({ parameters.update({
'CephClusterFSID': six.text_type(uuid.uuid1())}) 'CephClusterFSID': six.text_type(uuid.uuid1()),
'KeystoneCredential0': utils.create_keystone_credential(),
'KeystoneCredential1': utils.create_keystone_credential()})
return parameters return parameters