openstack/tacker
Code Issues Proposed changes
120b032265
tacker/roles/setup-default-vim/tasks/main.yaml
Qibin Yao 57902730d6 Add OpenID Connect Token Auth for k8s 
This patch adds openid token auth support when calling k8s APIs.

Openid token auth of k8s relies on an external openid provider,
and Keycloak acts as the openid provider in this implementation.

Implements: blueprint support-openid-k8s-vim
Change-Id: Ie5e080a20cba3ba0ed514ede7955eb16729d797c
2022-09-12 01:26:53 +00:00

327 lines
9.5 KiB
YAML
Raw Blame History

- block:
- name: Copy tools/test-setup-default-vim.sh
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tools/test-setup-default-vim.sh
dest={{ zuul_work_dir }}/tools/test-setup-default-vim.sh
mode=0755
- name: Copy test vim file
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tacker/tests/etc/samples/local-vim.yaml
dest={{ zuul_work_dir }}/tacker/tests/etc/samples/local-vim.yaml
- name: Check if project's tools/test-setup-default-vim.sh exists
stat:
path: "{{ zuul_work_dir }}/tools/test-setup-default-vim.sh"
register: p
- fail:
msg: >
{{ zuul_work_dir }}/tools/test-setup-default-vim.sh doesn't exists
or it doesn't have execute permission.
when: p.stat.exists != True or p.stat.executable != True
- name: Get stackenv from devstack environment
slurp:
src: "{{ devstack_base_dir }}/devstack/.stackenv"
register: stackenv
- name: Set a keystone authentication uri
set_fact:
auth_uri: "{{
stackenv.content
| b64decode
| regex_replace('\n', ' ')
| regex_replace('^.*KEYSTONE_SERVICE_URI=([^ ]+).*$', '\\1')
}}"
when:
- p.stat.exists
- name: Replace auth uri in test-setup-default-vim.sh and local-vim.yaml
replace:
path: "{{ item }}"
regexp: "http://127.0.0.1/identity"
replace: "{{ auth_uri }}"
with_items:
- "{{ zuul_work_dir }}/tools/test-setup-default-vim.sh"
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-vim.yaml"
when:
- p.stat.exists
- name: Replace the config file path in the test-setup-default-vim.sh
replace:
path: "{{ zuul_work_dir }}/tools/test-setup-default-vim.sh"
regexp: '(?<=config-file )([^ ]+)(?= )'
replace: "{{ ansible_env.HOME }}/{{ zuul_work_dir }}/tacker/tests/etc/samples/local-vim.yaml"
- name: Run tools/test-setup-default-vim.sh
command: tools/test-setup-default-vim.sh
args:
chdir: "{{ zuul_work_dir }}"
when:
- p.stat.exists
- p.stat.executable
when:
- inventory_hostname == 'controller-tacker'
- block:
- name: Copy create_admin_token.yaml
copy:
src: "create_admin_token.yaml"
dest: "/tmp/create_admin_token.yaml"
mode: 0644
owner: stack
group: stack
become: yes
- name: Create admin ServiceAccount
command: kubectl create -f /tmp/create_admin_token.yaml
become: yes
become_user: stack
- name: Get admin secret name
shell: >
kubectl get secrets -n kube-system -o name
| grep admin-token
register: admin_secret_name
become: yes
become_user: stack
- name: Get admin token from described secret
shell: >
kubectl get {{ admin_secret_name.stdout }} -n kube-system -o jsonpath="{.data.token}"
| base64 -d
register: admin_token
become: yes
become_user: stack
- name: Fetch k8s CA certificate
fetch:
src: "/etc/kubernetes/pki/ca.crt"
dest: "/tmp/"
flat: true
when:
- k8s_ssl_verify
- name: Fetch keycloak server certificate
fetch:
src: "/etc/keycloak/ssl/keycloak.crt"
dest: "/tmp/"
flat: true
when:
- keycloak_host is defined
when:
- inventory_hostname == 'controller-k8s'
- kuryr_k8s_api_url is defined
- block:
- name: Copy tools/test-setup-k8s-vim.sh
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tools/test-setup-k8s-vim.sh
dest={{ zuul_work_dir }}/tools/test-setup-k8s-vim.sh
mode=0755
- name: Copy test k8s vim file
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tacker/tests/etc/samples/local-k8s-vim.yaml
dest={{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim.yaml
- name: Copy test k8s vim file for oidc
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tacker/tests/etc/samples/local-k8s-vim-oidc.yaml
dest={{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim-oidc.yaml
when:
- keycloak_host is defined
- name: Check if project's tools/test-setup-k8s-vim.sh exists
stat:
path: "{{ zuul_work_dir }}/tools/test-setup-k8s-vim.sh"
register: p
- fail:
msg: >
{{ zuul_work_dir }}/tools/test-setup-k8s-vim.sh doesn't exists
or it doesn't have execute permission.
when: p.stat.exists != True or p.stat.executable != True
- name: Get stackenv from devstack environment
slurp:
src: "{{ devstack_base_dir }}/devstack/.stackenv"
register: stackenv
- name: Set a keystone authentication uri
set_fact:
auth_uri: "{{
stackenv.content
| b64decode
| regex_replace('\n', ' ')
| regex_replace('^.*KEYSTONE_SERVICE_URI=([^ ]+).*$', '\\1')
}}"
when:
- p.stat.exists
- name: Replace keystone auth uri in test-setup-k8s-vim.sh
replace:
path: "{{ item }}"
regexp: "http://127.0.0.1/identity"
replace: "{{ auth_uri }}"
with_items:
- "{{ zuul_work_dir }}/tools/test-setup-k8s-vim.sh"
when:
- p.stat.exists
- name: Replace k8s auth uri in local-k8s-vim.yaml
replace:
path: "{{ item }}"
regexp: "https://127.0.0.1:6443"
replace: "{{ kuryr_k8s_api_url }}"
with_items:
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim.yaml"
when:
- p.stat.exists
- name: Replace k8s auth uri in local-k8s-vim-oidc.yaml
replace:
path: "{{ item }}"
regexp: "https://127.0.0.1:6443"
replace: "{{ kuryr_k8s_api_url }}"
with_items:
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim-oidc.yaml"
when:
- p.stat.exists
- keycloak_host is defined
- name: Replace keycloak uri in local-k8s-vim-oidc.yaml
replace:
path: "{{ item }}"
regexp: "https://127.0.0.1:8443"
replace: "https://{{ keycloak_host }}:{{ keycloak_https_port }}"
with_items:
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim-oidc.yaml"
when:
- p.stat.exists
- keycloak_host is defined
- name: Replace k8s auth token in local-k8s-vim.yaml
replace:
path: "{{ item }}"
regexp: "secret_token"
replace: "{{ hostvars['controller-k8s'].admin_token.stdout }}"
with_items:
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim.yaml"
when:
- p.stat.exists
- name: Copy k8s CA certificate to tacker
copy:
src: "/tmp/ca.crt"
dest: "/tmp/"
when:
- p.stat.exists
- k8s_ssl_verify
- name: Copy keycloak server certificate to tacker
copy:
src: "/tmp/keycloak.crt"
dest: "/tmp/"
when:
- p.stat.exists
- keycloak_host is defined
- name: Write k8s CA certificate to a certificates aggregated file
shell: cat /tmp/ca.crt > /tmp/agg.crt
when:
- p.stat.exists
- k8s_ssl_verify
- name: Write keycloak server certificate to a certificates aggregated file
shell: cat /tmp/keycloak.crt >> /tmp/agg.crt
when:
- p.stat.exists
- keycloak_host is defined
- name: Register ssl certificate if exists
shell: test -f /tmp/agg.crt && cat /tmp/agg.crt
register: ssl_ca_cert
- name: Replace ssl_ca_cert in local-k8s-vim.yaml and local-k8s-vim-oidc.yaml
replace:
path: "{{ item }}"
regexp: "ssl_ca_cert: .*$"
replace: "ssl_ca_cert: '{{ ssl_ca_cert.stdout }}'"
with_items:
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim.yaml"
- "{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim-oidc.yaml"
when:
- p.stat.exists
- ssl_ca_cert.rc == 0 and ssl_ca_cert.stdout != ""
- name: Replace the config file path in the test-setup-k8s-vim.sh
replace:
path: "{{ zuul_work_dir }}/tools/test-setup-k8s-vim.sh"
regexp: '(?<=config-file )([^ ]+)(?= )'
replace: "{{ ansible_env.HOME }}/{{ zuul_work_dir }}/tacker/tests/etc/samples/local-k8s-vim.yaml"
- name: Run tools/test-setup-k8s-vim.sh
command: tools/test-setup-k8s-vim.sh
args:
chdir: "{{ zuul_work_dir }}"
when:
- p.stat.exists
- p.stat.executable
when:
- inventory_hostname == 'controller-tacker'
- kuryr_k8s_api_url is defined
- block:
- name: Copy tools/test-setup-mgmt.sh
copy:
remote_src=True
src={{ devstack_base_dir }}/tacker/tools/test-setup-mgmt.sh
dest={{ zuul_work_dir }}/tools/test-setup-mgmt.sh
mode=0755
- name: Check if project's tools/test-setup-mgmt.sh exists
stat:
path: "{{ zuul_work_dir }}/tools/test-setup-mgmt.sh"
register: p
- fail:
msg: >
{{ zuul_work_dir }}/tools/test-setup-mgmt.sh doesn't exists
or it doesn't have execute permission.
when: p.stat.exists != True or p.stat.executable != True
- name: Get stackenv from devstack environment
slurp:
src: "{{ devstack_base_dir }}/devstack/.stackenv"
register: stackenv
- name: Set a keystone authentication uri
set_fact:
auth_uri: "{{
stackenv.content
| b64decode
| regex_replace('\n', ' ')
| regex_replace('^.*KEYSTONE_SERVICE_URI=([^ ]+).*$', '\\1')
}}"
when:
- p.stat.exists
- name: Run tools/test-setup-mgmt.sh
command: tools/test-setup-mgmt.sh
args:
chdir: "{{ zuul_work_dir }}"
when:
- p.stat.exists
- p.stat.executable
when:
- inventory_hostname == 'controller-tacker'
- kuryr_k8s_api_url is defined
View Git Blame Copy Permalink