Create stx_admin account for flock service to communicate with openstack

admin account is used before, but if admin password is changed, flock service cannot be notified and cannot get the new password, so flock service like nfv-vim cannot fetch openstack vm info ever. stx_admin account is created for this case. Depends-On: https://review.opendev.org/753971 Closes-Bug: 1887755 Change-Id: I36f2442036bf6c98fbb0af727fddf1dd50e58330 Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
2020-11-19 13:29:58 +08:00 · 2020-11-19 13:29:58 +08:00 · ed82abff0f
parent da3a6dd8e0
commit ed82abff0f
4 changed files with 114 additions and 0 deletions
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@ -28,6 +28,7 @@ Patch06: 0006-Support-ingress-creation-for-keystone-admin-endpoint.patch
 Patch07: 0007-Allow-more-generic-overrides-for-placeme.patch
 Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
 Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch
+Patch10: 0010-Add-stx_admin-account.patch

 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -48,6 +49,7 @@ Openstack Helm charts
 %patch07 -p1
 %patch08 -p1
 %patch09 -p1
+%patch10 -p1

 %build
 # Stage helm-toolkit in the local repo
--- a/openstack-helm/files/0010-Add-stx_admin-account.patch
+++ b/openstack-helm/files/0010-Add-stx_admin-account.patch
@ -0,0 +1,103 @@
+From 50e5e101857767fa5b20a3f548e3f28ffb8664ed Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 28 Oct 2020 15:17:34 +0800
+Subject: [PATCH] Add stx_admin account for host to communicate with openstack
+ app
+
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+---
+ keystone/templates/job-ks-user.yaml     | 18 ++++++++++++++++++
+ keystone/templates/secret-keystone.yaml |  2 +-
+ keystone/values.yaml                    | 17 +++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 keystone/templates/job-ks-user.yaml
+
+diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml
+new file mode 100644
+index 0000000..aec4641
+--- /dev/null
+++ b/keystone/templates/job-ks-user.yaml
+@@ -0,0 +1,18 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_ks_user }}
+{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}}
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
+{{- end }}
+diff --git a/keystone/templates/secret-keystone.yaml b/keystone/templates/secret-keystone.yaml
+index 5aa87ab..0e471f1 100644
+--- a/keystone/templates/secret-keystone.yaml
+++ b/keystone/templates/secret-keystone.yaml
+@@ -14,7 +14,7 @@ limitations under the License.
+ 
+ {{- if .Values.manifests.secret_keystone }}
+ {{- $envAll := . }}
+-{{- range $key1, $userClass := tuple "admin" "test" }}
+{{- range $key1, $userClass := tuple "admin" "test" "stx_admin" }}
+ {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+ ---
+ apiVersion: v1
+diff --git a/keystone/values.yaml b/keystone/values.yaml
+index 473379d..68bbcdd 100644
+--- a/keystone/values.yaml
+++ b/keystone/values.yaml
+@@ -146,6 +146,10 @@ dependencies:
+       services:
+         - endpoint: internal
+           service: oslo_db
+    ks_user:
+      services:
+        - endpoint: internal
+          service: identity
+     rabbit_init:
+       services:
+         - service: oslo_messaging
+@@ -1062,6 +1066,7 @@ secrets:
+   identity:
+     admin: keystone-keystone-admin
+     test: keystone-keystone-test
+    stx_admin: keystone-keystone-stxadmin
+   oslo_db:
+     admin: keystone-db-admin
+     keystone: keystone-db-user
+@@ -1104,6 +1109,17 @@ endpoints:
+         user_domain_name: default
+         project_domain_name: default
+         default_domain_id: default
+      stx_admin:
+        role:
+          - admin
+          - member
+        region_name: RegionOne
+        username: stx_admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+        default_domain_id: default
+       test:
+         role: admin
+         region_name: RegionOne
+@@ -1254,6 +1270,7 @@ manifests:
+   job_domain_manage: true
+   job_fernet_setup: true
+   job_image_repo_sync: true
+  job_ks_user: true
+   job_rabbit_init: true
+   pdb_api: true
+   pod_rally_test: true
+-- 
+2.7.4
+
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py
@ -289,5 +289,11 @@ class KeystoneHelm(openstack.OpenstackBaseHelm):

        return self._get_identity_password(o_service, o_user)

+    def get_stx_admin_password(self):
+        o_user = common.USER_STX_ADMIN
+        o_service = common.SERVICE_ADMIN
+
+        return self._get_identity_password(o_service, o_user)
+
    def get_region_name(self):
        return self._get_service_region_name(self.SERVICE_NAME)
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py
@ -345,6 +345,9 @@ class OpenstackBaseHelm(base.BaseHelm):
            if user == common.USER_ADMIN:
                o_user = self._get_admin_user_name()
                o_service = common.SERVICE_ADMIN
+            elif user == common.USER_STX_ADMIN:
+                o_user = user
+                o_service = common.SERVICE_ADMIN
            else:
                o_user = user
                o_service = service