Added basic keystone support

Change-Id: Ib1b143438053cb43c071bc4d4db3a6c6fc923e98

.dockerignore

@@ -0,0 +1,3 @@
+.eggs
+.stestr
+.tox

chart/crds/identity.openstack.org_keystones.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: keystones.identity.openstack.org
+spec:
+  group: identity.openstack.org
+  names:
+    kind: Keystone
+    listKind: KeystoneList
+    plural: keystones
+    singular: keystone
+  scope: Namespaced
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

chart/templates/clusterrole.yaml

@@ -113,6 +113,7 @@ rules:
   - identity.openstack.org
   resources:
   - services
+  - keystones
   verbs:
   - create
   - delete
@@ -125,6 +126,7 @@ rules:
   - identity.openstack.org
   resources:
   - services/status
+  - keystones/status
   verbs:
   - get
   - patch

chart/templates/deployment.yaml

@@ -31,6 +31,8 @@ spec:
         - -m
         - openstack_operator.horizon
         - -m
+        - openstack_operator.keystone
+        - -m
         - openstack_operator.mcrouter
         - -m
         - openstack_operator.memcached

config/samples/identity_v1alpha1_keystone.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: identity.openstack.org/v1alpha1
+kind: Keystone
+metadata:
+  name: sample
+spec:
+  configDir: /etc/keystone

config/samples/infrastructure_v1alpha1_memcached.yaml

@@ -1,7 +1,7 @@
 apiVersion: infrastructure.vexxhost.cloud/v1alpha1
 kind: Memcached
 metadata:
-  name: sample
+  name: devstack
   labels:
     monitoring: haha
 spec:

devstack/override-defaults

@@ -14,6 +14,29 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+function get_kubernetes_service_ip {
+	local svc="$1"
+
+	for i in {1..30}; do
+		ip=$(kubectl get svc/$svc -ojsonpath='{.spec.clusterIP}') && break || sleep 1;
+	done
+
+	return $ip
+}
+
+function proxy_pass_to_kubernetes {
+	local url=$1
+	local svc=$2
+
+	local ip=$(get_kubernetes_service_ip $svc)
+	local apache_conf=$(apache_site_config_for $name)
+
+	echo "ProxyPass \"${url}\" \"http://${ip}/\"" | sudo tee -a $apache_conf
+
+	enable_apache_site $name
+	restart_apache_server
+}
+
 # Gets or creates service
 # Usage: get_or_create_service <name> <type> <description>
 function get_or_create_service {
@@ -29,3 +52,86 @@ spec:
 EOF
 }
 export -f get_or_create_service
+
+# install_keystone() - Collect source and prepare
+function install_keystone {
+	cat <<EOF | kubectl apply -f-
+---
+apiVersion: identity.openstack.org/v1alpha1
+kind: Keystone
+metadata:
+  name: devstack
+spec:
+  configDir: ${KEYSTONE_CONF_DIR}
+EOF
+}
+export -f install_keystone
+
+# init_keystone() - Initialize databases, etc.
+function init_keystone {
+	if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
+		# (Re)create keystone database
+		recreate_database keystone
+	fi
+
+	time_start "dbsync"
+	kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF db_sync
+	time_stop "dbsync"
+
+	if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
+		rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/"
+		kubectl exec deploy/keystone-devstack keystone-manage --config-file $KEYSTONE_CONF fernet_setup
+	fi
+
+	rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
+	kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF credential_setup
+}
+export -f init_keystone
+
+# start_keystone() - Start running processes
+function start_keystone {
+	# Get right service port for testing
+	local service_port=$KEYSTONE_SERVICE_PORT
+	local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
+	if is_service_enabled tls-proxy; then
+		service_port=$KEYSTONE_SERVICE_PORT_INT
+		auth_protocol="http"
+	fi
+
+	proxy_pass_to_kubernetes /identity keystone-devstack
+
+	echo "Waiting for keystone to start..."
+	# Check that the keystone service is running. Even if the tls tunnel
+	# should be enabled, make sure the internal port is checked using
+	# unencryted traffic at this point.
+	# If running in Apache, use the path rather than port.
+
+	local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
+
+	if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
+		die $LINENO "keystone did not start"
+	fi
+
+	# Start proxies if enabled
+	if is_service_enabled tls-proxy; then
+		start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+		start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
+	fi
+
+	# (re)start memcached to make sure we have a clean memcache.
+	kubectl rollout restart statefulset/memcached-devstack
+}
+export -f start_keystone
+
+function bootstrap_keystone {
+	kubectl exec deploy/keystone-devstack -- keystone-manage bootstrap \
+		--bootstrap-username admin \
+		--bootstrap-password "$ADMIN_PASSWORD" \
+		--bootstrap-project-name admin \
+		--bootstrap-role-name admin \
+		--bootstrap-service-name keystone \
+		--bootstrap-region-id "$REGION_NAME" \
+		--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
+		--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
+}
+export -f bootstrap_keystone

images/keystone/Dockerfile

@@ -0,0 +1,28 @@
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM docker.io/opendevorg/python-builder as builder
+COPY bindep.txt /tmp/src/bindep.txt
+RUN assemble keystone==16.0.0 \
+             msgpack===0.6.1 \
+             PyMySQL \
+	     python-memcached
+
+FROM docker.io/opendevorg/uwsgi-base
+COPY --from=builder /output/ /output
+RUN /output/install-from-bindep
+EXPOSE 5000
+ENV UWSGI_HTTP_SOCKET=:5000 \
+    UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public

images/keystone/bindep.txt

@@ -0,0 +1,3 @@
+gcc [compile]
+libc-dev [compile]
+libssl-dev [compile]

openstack_operator/keystone.py

@@ -0,0 +1,37 @@
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Keystone Operator
+
+This module maintains the operator for Keystone which does everything from
+deployment to taking care of rotating fernet & credentials keys."""
+
+import kopf
+
+from openstack_operator import utils
+
+
+@kopf.on.resume('identity.openstack.org', 'v1alpha1', 'keystones')
+@kopf.on.create('identity.openstack.org', 'v1alpha1', 'keystones')
+def create_or_resume(name, spec, **_):
+    """Create and re-sync any Keystone instances
+
+    This function is called when a new resource is created but also when we
+    start the service up for the first time.
+    """
+
+    utils.create_or_update('keystone/deployment.yml.j2',
+                           name=name, spec=spec)
+    utils.create_or_update('keystone/service.yml.j2',
+                           name=name, spec=spec)

openstack_operator/templates/keystone/deployment.yml.j2

@@ -0,0 +1,74 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keystone-{{ name }}
+  labels:
+    {{ labels("keystone", name) | indent(4) }}
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      {{ labels("keystone", name) | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("keystone", name) | indent(8) }}
+    spec:
+      containers:
+      - name: keystone
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        ports:
+        - name: keystone
+          containerPort: 5000
+        livenessProbe:
+          httpGet:
+            path: /
+            port: keystone
+        readinessProbe:
+          httpGet:
+            path: /
+            port: keystone
+        resources:
+          limits:
+            cpu: 1000m
+            ephemeral-storage: 500M
+            memory: 256M
+          requests:
+            cpu: 500m
+            ephemeral-storage: 500M
+            memory: 128M
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+      volumes:
+      - name: config
+        hostPath:
+          path: {{ spec['configDir'] }}
+          type: Directory
+{% if 'nodeSelector' in spec %}
+      nodeSelector:
+        {{ spec.nodeSelector | to_yaml | indent(8) }}
+{% endif %}
+{% if 'tolerations' in spec %}
+      tolerations:
+        {{ spec.tolerations | to_yaml | indent(8) }}
+{% endif %}

openstack_operator/templates/keystone/service.yml.j2

@@ -0,0 +1,28 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: keystone-{{ name }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: keystone
+    port: 80
+    protocol: TCP
+    targetPort: keystone
+  selector:
+    {{ labels("keystone", name) | indent(4) }}

playbooks/functional/devstack.yaml

@@ -17,7 +17,7 @@
 - hosts: all
   tasks:
     - name: Get Memcached IP address
-      command: kubectl get svc/mcrouter-memcached-sample -o=jsonpath='{.spec.clusterIP}'
+      command: kubectl get svc/mcrouter-memcached-devstack -o=jsonpath='{.spec.clusterIP}'
       register: _memcached_ip
     - name: Get RabbitMQ IP address
       command: kubectl get svc/rabbitmq-sample -o=jsonpath='{.spec.clusterIP}'

playbooks/functional/tests/memcached.yaml

@@ -22,7 +22,7 @@
     name: wait-for-pods
 
 - name: Get all pod IPs for Memcached
-  command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
+  command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
   register: _memcached_ips
   until: _memcached_ips is success
   retries: 10
@@ -41,7 +41,7 @@
   failed_when: "'memcached_up 1' not in _metrics.content"
 
 - name: Get all pod IPs for Mcrouter
-  command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
+  command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
   register: _mcrouter_ips
   until: _mcrouter_ips is success
   retries: 10

zuul.d/functional-jobs.yaml

@@ -20,37 +20,41 @@
       jobs:
       - openstack-operator:functional:
           dependencies:
-          - name: openstack-operator:images:build:mcrouter-exporter
-            soft: true
-          - name: openstack-operator:images:build:horizon
+          - name: openstack-operator:images:build:ceilometer
             soft: true
           - name: openstack-operator:images:build:rabbitmq
             soft: true
-          - name: openstack-operator:images:build:ceilometer
+          - name: openstack-operator:images:build:keystone
             soft: true
-          - name: openstack-operator:images:build:memcached-exporter
+          - name: openstack-operator:images:build:horizon
             soft: true
           - name: openstack-operator:images:build:memcached
             soft: true
           - name: openstack-operator:images:build:mcrouter
             soft: true
           - openstack-operator:images:build:openstack-operator
+          - name: openstack-operator:images:build:mcrouter-exporter
+            soft: true
+          - name: openstack-operator:images:build:memcached-exporter
+            soft: true
     gate:
       jobs:
       - openstack-operator:functional:
           dependencies:
-          - name: openstack-operator:images:upload:mcrouter-exporter
-            soft: true
-          - name: openstack-operator:images:upload:horizon
+          - name: openstack-operator:images:upload:ceilometer
             soft: true
           - name: openstack-operator:images:upload:rabbitmq
             soft: true
-          - name: openstack-operator:images:upload:ceilometer
+          - name: openstack-operator:images:upload:keystone
             soft: true
-          - name: openstack-operator:images:upload:memcached-exporter
+          - name: openstack-operator:images:upload:horizon
             soft: true
           - name: openstack-operator:images:upload:memcached
             soft: true
           - name: openstack-operator:images:upload:mcrouter
             soft: true
           - openstack-operator:images:upload:openstack-operator
+          - name: openstack-operator:images:upload:mcrouter-exporter
+            soft: true
+          - name: openstack-operator:images:upload:memcached-exporter
+            soft: true

zuul.d/horizon-jobs.yaml

@@ -6,6 +6,8 @@
       docker_images:
       - context: images/horizon
         repository: vexxhost/horizon
+    dependencies:
+    - openstack-operator:images:build:openstack-operator
     files: &id002
     - ^images/horizon/.*
 - job:
@@ -13,6 +15,8 @@
     parent: vexxhost-upload-docker-image
     provides: openstack-operator:image:horizon
     vars: *id001
+    dependencies:
+    - openstack-operator:images:upload:openstack-operator
     files: *id002
 - job:
     name: openstack-operator:images:promote:horizon

zuul.d/keystone-jobs.yaml

@@ -0,0 +1,35 @@
+- job:
+    name: openstack-operator:images:build:keystone
+    parent: vexxhost-build-docker-image
+    provides: openstack-operator:image:keystone
+    vars: &id001
+      docker_images:
+      - context: images/keystone
+        repository: vexxhost/keystone
+    dependencies:
+    - openstack-operator:images:build:openstack-operator
+    files: &id002
+    - ^images/keystone/.*
+- job:
+    name: openstack-operator:images:upload:keystone
+    parent: vexxhost-upload-docker-image
+    provides: openstack-operator:image:keystone
+    vars: *id001
+    dependencies:
+    - openstack-operator:images:upload:openstack-operator
+    files: *id002
+- job:
+    name: openstack-operator:images:promote:keystone
+    parent: vexxhost-promote-docker-image
+    vars: *id001
+    files: *id002
+- project:
+    check:
+      jobs:
+      - openstack-operator:images:build:keystone
+    gate:
+      jobs:
+      - openstack-operator:images:upload:keystone
+    promote:
+      jobs:
+      - openstack-operator:images:promote:keystone