From ed82abff0f2cee84e7ca2103915af1c69c42c2a1 Mon Sep 17 00:00:00 2001
From: Shuicheng Lin <shuicheng.lin@intel.com>
Date: Thu, 19 Nov 2020 13:29:58 +0800
Subject: [PATCH] Create stx_admin account for flock service to communicate
 with openstack

admin account is used before, but if admin password is changed, flock
service cannot be notified and cannot get the new password, so flock
service like nfv-vim cannot fetch openstack vm info ever.
stx_admin account is created for this case.

Depends-On: https://review.opendev.org/753971
Closes-Bug: 1887755

Change-Id: I36f2442036bf6c98fbb0af727fddf1dd50e58330
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
---
 openstack-helm/centos/openstack-helm.spec     |   2 +
 .../files/0010-Add-stx_admin-account.patch    | 103 ++++++++++++++++++
 .../k8sapp_openstack/helm/keystone.py         |   6 +
 .../k8sapp_openstack/helm/openstack.py        |   3 +
 4 files changed, 114 insertions(+)
 create mode 100644 openstack-helm/files/0010-Add-stx_admin-account.patch

diff --git a/openstack-helm/centos/openstack-helm.spec b/openstack-helm/centos/openstack-helm.spec
index 6699f84c..62ee8b92 100644
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@@ -28,6 +28,7 @@ Patch06: 0006-Support-ingress-creation-for-keystone-admin-endpoint.patch
 Patch07: 0007-Allow-more-generic-overrides-for-placeme.patch
 Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
 Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch
+Patch10: 0010-Add-stx_admin-account.patch
 
 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@@ -48,6 +49,7 @@ Openstack Helm charts
 %patch07 -p1
 %patch08 -p1
 %patch09 -p1
+%patch10 -p1
 
 %build
 # Stage helm-toolkit in the local repo
diff --git a/openstack-helm/files/0010-Add-stx_admin-account.patch b/openstack-helm/files/0010-Add-stx_admin-account.patch
new file mode 100644
index 00000000..182d2bda
--- /dev/null
+++ b/openstack-helm/files/0010-Add-stx_admin-account.patch
@@ -0,0 +1,103 @@
+From 50e5e101857767fa5b20a3f548e3f28ffb8664ed Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 28 Oct 2020 15:17:34 +0800
+Subject: [PATCH] Add stx_admin account for host to communicate with openstack
+ app
+
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+---
+ keystone/templates/job-ks-user.yaml     | 18 ++++++++++++++++++
+ keystone/templates/secret-keystone.yaml |  2 +-
+ keystone/values.yaml                    | 17 +++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 keystone/templates/job-ks-user.yaml
+
+diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml
+new file mode 100644
+index 0000000..aec4641
+--- /dev/null
++++ b/keystone/templates/job-ks-user.yaml
+@@ -0,0 +1,18 @@
++{{/*
++Licensed under the Apache License, Version 2.0 (the "License");
++you may not use this file except in compliance with the License.
++You may obtain a copy of the License at
++
++   http://www.apache.org/licenses/LICENSE-2.0
++
++Unless required by applicable law or agreed to in writing, software
++distributed under the License is distributed on an "AS IS" BASIS,
++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++See the License for the specific language governing permissions and
++limitations under the License.
++*/}}
++
++{{- if .Values.manifests.job_ks_user }}
++{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}}
++{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
++{{- end }}
+diff --git a/keystone/templates/secret-keystone.yaml b/keystone/templates/secret-keystone.yaml
+index 5aa87ab..0e471f1 100644
+--- a/keystone/templates/secret-keystone.yaml
++++ b/keystone/templates/secret-keystone.yaml
+@@ -14,7 +14,7 @@ limitations under the License.
+ 
+ {{- if .Values.manifests.secret_keystone }}
+ {{- $envAll := . }}
+-{{- range $key1, $userClass := tuple "admin" "test" }}
++{{- range $key1, $userClass := tuple "admin" "test" "stx_admin" }}
+ {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+ ---
+ apiVersion: v1
+diff --git a/keystone/values.yaml b/keystone/values.yaml
+index 473379d..68bbcdd 100644
+--- a/keystone/values.yaml
++++ b/keystone/values.yaml
+@@ -146,6 +146,10 @@ dependencies:
+       services:
+         - endpoint: internal
+           service: oslo_db
++    ks_user:
++      services:
++        - endpoint: internal
++          service: identity
+     rabbit_init:
+       services:
+         - service: oslo_messaging
+@@ -1062,6 +1066,7 @@ secrets:
+   identity:
+     admin: keystone-keystone-admin
+     test: keystone-keystone-test
++    stx_admin: keystone-keystone-stxadmin
+   oslo_db:
+     admin: keystone-db-admin
+     keystone: keystone-db-user
+@@ -1104,6 +1109,17 @@ endpoints:
+         user_domain_name: default
+         project_domain_name: default
+         default_domain_id: default
++      stx_admin:
++        role:
++          - admin
++          - member
++        region_name: RegionOne
++        username: stx_admin
++        password: password
++        project_name: admin
++        user_domain_name: default
++        project_domain_name: default
++        default_domain_id: default
+       test:
+         role: admin
+         region_name: RegionOne
+@@ -1254,6 +1270,7 @@ manifests:
+   job_domain_manage: true
+   job_fernet_setup: true
+   job_image_repo_sync: true
++  job_ks_user: true
+   job_rabbit_init: true
+   pdb_api: true
+   pod_rally_test: true
+-- 
+2.7.4
+
diff --git a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py
index d8116468..093a01c4 100644
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/keystone.py
@@ -289,5 +289,11 @@ class KeystoneHelm(openstack.OpenstackBaseHelm):
 
         return self._get_identity_password(o_service, o_user)
 
+    def get_stx_admin_password(self):
+        o_user = common.USER_STX_ADMIN
+        o_service = common.SERVICE_ADMIN
+
+        return self._get_identity_password(o_service, o_user)
+
     def get_region_name(self):
         return self._get_service_region_name(self.SERVICE_NAME)
diff --git a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py
index 9ebedb2e..40b70a6c 100644
--- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py
+++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py
@@ -345,6 +345,9 @@ class OpenstackBaseHelm(base.BaseHelm):
             if user == common.USER_ADMIN:
                 o_user = self._get_admin_user_name()
                 o_service = common.SERVICE_ADMIN
+            elif user == common.USER_STX_ADMIN:
+                o_user = user
+                o_service = common.SERVICE_ADMIN
             else:
                 o_user = user
                 o_service = service