qinling/devstack/plugin.sh
Lingxian Kong 46457cdfe5 Support TLS connection to etcd
This change also modifies the devstack installation script to re-use
k8s api server etcd client certs as qinling etcd certs, and use TLS to
connect with etcd by default in devstack.

Because the etcd server in k8s 1.10 doesn't support https by default, this
patch also upgrade k8s to 1.11 in devstack installation.

Change-Id: I10959188eb8543d006f65b751557787171334a97
Task: 24227
Story: 2003284
2018-08-23 10:35:53 +12:00

220 lines
6.8 KiB
Bash
Executable File

#!/usr/bin/env bash
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set -o xtrace
function install_qinling {
git_clone $QINLING_REPO $QINLING_DIR $QINLING_BRANCH
setup_develop $QINLING_DIR
}
function install_qinlingclient {
if use_library_from_git "python-qinlingclient"; then
git_clone $QINLINGCLIENT_REPO $QINLINGCLIENT_DIR $QINLINGCLIENT_BRANCH
setup_develop $QINLINGCLIENT_DIR
else
pip_install python-qinlingclient
fi
}
function install_k8s {
pushd $QINLING_DIR
source tools/gate/kubeadm/setup_gate.sh
popd
# Pre-fetch the default docker image for runtimes and image function
# test.
sudo docker pull $QINLING_PYTHON_RUNTIME_IMAGE
sudo docker pull $QINLING_NODEJS_RUNTIME_IMAGE
sudo docker pull $QINLING_SIDECAR_IMAGE
sudo docker pull openstackqinling/alpine-test
}
function create_qinling_accounts {
create_service_user "qinling" "admin"
local qinling_service=$(get_or_create_service "qinling" "function-engine" "Function Service")
qinling_api_url="$QINLING_SERVICE_PROTOCOL://$QINLING_SERVICE_HOST:$QINLING_SERVICE_PORT"
get_or_create_endpoint $qinling_service \
"$REGION_NAME" \
"$qinling_api_url" \
"$qinling_api_url" \
"$qinling_api_url"
# get or adds 'service' role to 'qinling' user on 'demo' project
get_or_add_user_project_role "service" "qinling" "demo"
}
function mkdir_chown_stack {
if [[ ! -d "$1" ]]; then
sudo mkdir -p "$1"
fi
sudo chown -R $STACK_USER:$STACK_USER "$1"
}
function configure_k8s_certificates {
pushd $QINLING_DIR
mkdir_chown_stack "$QINLING_CONF_DIR"/pki
mkdir_chown_stack "$QINLING_CONF_DIR"/pki/kubernetes
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /tmp/cfssl
chmod +x /tmp/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /tmp/cfssljson
chmod +x /tmp/cfssljson
sudo /tmp/cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -config=example/kubernetes/cfssl-ca-config.json -profile=client example/kubernetes/cfssl-client-csr.json | /tmp/cfssljson -bare client
# The command above outputs client-key.pem, client.pem and client.csr
mv client-key.pem "$QINLING_CONF_DIR"/pki/kubernetes/qinling.key
mv client.pem "$QINLING_CONF_DIR"/pki/kubernetes/qinling.crt
rm -f client.csr
cp /etc/kubernetes/pki/ca.crt "$QINLING_CONF_DIR"/pki/kubernetes/ca.crt
popd
}
function configure_etcd_certificates {
pushd $QINLING_DIR
mkdir_chown_stack $QINLING_CONF_DIR/pki/etcd
sudo cp /etc/kubernetes/pki/etcd/ca.crt $QINLING_CONF_DIR/pki/etcd/
# Re-use k8s api server etcd client cert
sudo cp /etc/kubernetes/pki/apiserver-etcd-client.crt $QINLING_CONF_DIR/pki/etcd/qinling-etcd-client.crt
sudo cp /etc/kubernetes/pki/apiserver-etcd-client.key $QINLING_CONF_DIR/pki/etcd/qinling-etcd-client.key
mkdir_chown_stack $QINLING_CONF_DIR/pki/etcd
# For the tempest user to read the key file when running tempest
chmod 644 $QINLING_CONF_DIR/pki/etcd/qinling-etcd-client.key
popd
}
function configure_qinling {
mkdir_chown_stack "$QINLING_AUTH_CACHE_DIR"
rm -rf "$QINLING_AUTH_CACHE_DIR"/*
mkdir_chown_stack "$QINLING_CONF_DIR"
rm -rf "$QINLING_CONF_DIR"/*
mkdir_chown_stack "$QINLING_FUNCTION_STORAGE_DIR"
rm -rf "$QINLING_FUNCTION_STORAGE_DIR"/*
cp $QINLING_DIR/etc/policy.json.sample $QINLING_POLICY_FILE
# Generate Qinling configuration file and configure common parameters.
oslo-config-generator --config-file $QINLING_DIR/tools/config/config-generator.qinling.conf --output-file $QINLING_CONF_FILE
iniset $QINLING_CONF_FILE oslo_policy policy_file $QINLING_POLICY_FILE
iniset $QINLING_CONF_FILE DEFAULT debug $QINLING_DEBUG
iniset $QINLING_CONF_FILE DEFAULT server all
iniset $QINLING_CONF_FILE DEFAULT logging_context_format_string "%(asctime)s %(process)d %(color)s %(levelname)s [%(request_id)s] %(message)s %(resource)s (%(name)s)"
iniset $QINLING_CONF_FILE storage file_system_dir $QINLING_FUNCTION_STORAGE_DIR
# Setup keystone_authtoken section
configure_auth_token_middleware $QINLING_CONF_FILE qinling $QINLING_AUTH_CACHE_DIR
iniset $QINLING_CONF_FILE keystone_authtoken www_authenticate_uri $KEYSTONE_AUTH_URI_V3
iniset $QINLING_CONF_FILE keystone_authtoken region_name "$REGION_NAME"
# Setup RabbitMQ credentials
iniset_rpc_backend qinling $QINLING_CONF_FILE
# Configure the database.
iniset $QINLING_CONF_FILE database connection `database_connection_url qinling`
# Configure Kubernetes API server certificates for qinling if required.
if [ "$QINLING_K8S_APISERVER_TLS" == "True" ]; then
iniset $QINLING_CONF_FILE kubernetes kube_host https://$(hostname -f):6443
configure_k8s_certificates
sudo kubectl create -f $QINLING_DIR/example/kubernetes/k8s_qinling_role.yaml
else
iniset $QINLING_CONF_FILE kubernetes use_api_certificate False
fi
# Config etcd TLS certs
configure_etcd_certificates
iniset $QINLING_CONF_FILE kubernetes replicas 5
}
function init_qinling {
# (re)create qinling database
recreate_database qinling utf8
$QINLING_BIN_DIR/qinling-db-manage --config-file $QINLING_CONF_FILE upgrade head
}
function start_qinling {
run_process qinling-engine "$QINLING_BIN_DIR/qinling-engine --config-file $QINLING_CONF_FILE"
run_process qinling-api "$QINLING_BIN_DIR/qinling-api --config-file $QINLING_CONF_FILE"
}
function stop_qinling {
local serv
for serv in qinling-api qinling-engine; do
stop_process $serv
done
}
function cleanup_qinling {
sudo rm -rf $QINLING_AUTH_CACHE_DIR/*
sudo rm -rf $QINLING_CONF_DIR/*
}
# check for service enabled
if is_service_enabled qinling; then
if [[ "$1" == "stack" && "$2" == "install" ]]; then
# Perform installation of service source
echo_summary "Installing qinling"
install_qinling
echo_summary "Installing qinlingclient"
install_qinlingclient
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
# Configure after the other layer 1 and 2 services have been configured
echo_summary "Configuring qinling"
if is_service_enabled key; then
create_qinling_accounts
fi
echo_summary "Installing kubernetes cluster"
install_k8s
configure_qinling
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
# Initialize and start the qinling service
echo_summary "Initializing qinling"
init_qinling
start_qinling
fi
if [[ "$1" == "unstack" ]]; then
echo_summary "Shutting down qinling"
stop_qinling
fi
if [[ "$1" == "clean" ]]; then
echo_summary "Cleaning qinling"
cleanup_qinling
fi
fi
# Restore xtrace
$XTRACE