Browse Source

Added basic keystone support

Change-Id: Ib1b143438053cb43c071bc4d4db3a6c6fc923e98
changes/37/725137/8
Mohammed Naser 1 year ago
parent
commit
97501c4460
17 changed files with 371 additions and 14 deletions
  1. +3
    -0
      .dockerignore
  2. +24
    -0
      chart/crds/identity.openstack.org_keystones.yaml
  3. +2
    -0
      chart/templates/clusterrole.yaml
  4. +2
    -0
      chart/templates/deployment.yaml
  5. +7
    -0
      config/samples/identity_v1alpha1_keystone.yaml
  6. +1
    -1
      config/samples/infrastructure_v1alpha1_memcached.yaml
  7. +106
    -0
      devstack/override-defaults
  8. +28
    -0
      images/keystone/Dockerfile
  9. +3
    -0
      images/keystone/bindep.txt
  10. +37
    -0
      openstack_operator/keystone.py
  11. +74
    -0
      openstack_operator/templates/keystone/deployment.yml.j2
  12. +28
    -0
      openstack_operator/templates/keystone/service.yml.j2
  13. +1
    -1
      playbooks/functional/devstack.yaml
  14. +2
    -2
      playbooks/functional/tests/memcached.yaml
  15. +14
    -10
      zuul.d/functional-jobs.yaml
  16. +4
    -0
      zuul.d/horizon-jobs.yaml
  17. +35
    -0
      zuul.d/keystone-jobs.yaml

+ 3
- 0
.dockerignore View File

@ -0,0 +1,3 @@
.eggs
.stestr
.tox

+ 24
- 0
chart/crds/identity.openstack.org_keystones.yaml View File

@ -0,0 +1,24 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: keystones.identity.openstack.org
spec:
group: identity.openstack.org
names:
kind: Keystone
listKind: KeystoneList
plural: keystones
singular: keystone
scope: Namespaced
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

+ 2
- 0
chart/templates/clusterrole.yaml View File

@ -113,6 +113,7 @@ rules:
- identity.openstack.org
resources:
- services
- keystones
verbs:
- create
- delete
@ -125,6 +126,7 @@ rules:
- identity.openstack.org
resources:
- services/status
- keystones/status
verbs:
- get
- patch


+ 2
- 0
chart/templates/deployment.yaml View File

@ -31,6 +31,8 @@ spec:
- -m
- openstack_operator.horizon
- -m
- openstack_operator.keystone
- -m
- openstack_operator.mcrouter
- -m
- openstack_operator.memcached


+ 7
- 0
config/samples/identity_v1alpha1_keystone.yaml View File

@ -0,0 +1,7 @@
---
apiVersion: identity.openstack.org/v1alpha1
kind: Keystone
metadata:
name: sample
spec:
configDir: /etc/keystone

+ 1
- 1
config/samples/infrastructure_v1alpha1_memcached.yaml View File

@ -1,7 +1,7 @@
apiVersion: infrastructure.vexxhost.cloud/v1alpha1
kind: Memcached
metadata:
name: sample
name: devstack
labels:
monitoring: haha
spec:


+ 106
- 0
devstack/override-defaults View File

@ -14,6 +14,29 @@
# License for the specific language governing permissions and limitations
# under the License.
function get_kubernetes_service_ip {
local svc="$1"
for i in {1..30}; do
ip=$(kubectl get svc/$svc -ojsonpath='{.spec.clusterIP}') && break || sleep 1;
done
return $ip
}
function proxy_pass_to_kubernetes {
local url=$1
local svc=$2
local ip=$(get_kubernetes_service_ip $svc)
local apache_conf=$(apache_site_config_for $name)
echo "ProxyPass \"${url}\" \"http://${ip}/\"" | sudo tee -a $apache_conf
enable_apache_site $name
restart_apache_server
}
# Gets or creates service
# Usage: get_or_create_service <name> <type> <description>
function get_or_create_service {
@ -29,3 +52,86 @@ spec:
EOF
}
export -f get_or_create_service
# install_keystone() - Collect source and prepare
function install_keystone {
cat <<EOF | kubectl apply -f-
---
apiVersion: identity.openstack.org/v1alpha1
kind: Keystone
metadata:
name: devstack
spec:
configDir: ${KEYSTONE_CONF_DIR}
EOF
}
export -f install_keystone
# init_keystone() - Initialize databases, etc.
function init_keystone {
if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
# (Re)create keystone database
recreate_database keystone
fi
time_start "dbsync"
kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF db_sync
time_stop "dbsync"
if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/"
kubectl exec deploy/keystone-devstack keystone-manage --config-file $KEYSTONE_CONF fernet_setup
fi
rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF credential_setup
}
export -f init_keystone
# start_keystone() - Start running processes
function start_keystone {
# Get right service port for testing
local service_port=$KEYSTONE_SERVICE_PORT
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
if is_service_enabled tls-proxy; then
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_protocol="http"
fi
proxy_pass_to_kubernetes /identity keystone-devstack
echo "Waiting for keystone to start..."
# Check that the keystone service is running. Even if the tls tunnel
# should be enabled, make sure the internal port is checked using
# unencryted traffic at this point.
# If running in Apache, use the path rather than port.
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
die $LINENO "keystone did not start"
fi
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
kubectl rollout restart statefulset/memcached-devstack
}
export -f start_keystone
function bootstrap_keystone {
kubectl exec deploy/keystone-devstack -- keystone-manage bootstrap \
--bootstrap-username admin \
--bootstrap-password "$ADMIN_PASSWORD" \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id "$REGION_NAME" \
--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
}
export -f bootstrap_keystone

+ 28
- 0
images/keystone/Dockerfile View File

@ -0,0 +1,28 @@
# Copyright (c) 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM docker.io/opendevorg/python-builder as builder
COPY bindep.txt /tmp/src/bindep.txt
RUN assemble keystone==16.0.0 \
msgpack===0.6.1 \
PyMySQL \
python-memcached
FROM docker.io/opendevorg/uwsgi-base
COPY --from=builder /output/ /output
RUN /output/install-from-bindep
EXPOSE 5000
ENV UWSGI_HTTP_SOCKET=:5000 \
UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public

+ 3
- 0
images/keystone/bindep.txt View File

@ -0,0 +1,3 @@
gcc [compile]
libc-dev [compile]
libssl-dev [compile]

+ 37
- 0
openstack_operator/keystone.py View File

@ -0,0 +1,37 @@
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Keystone Operator
This module maintains the operator for Keystone which does everything from
deployment to taking care of rotating fernet & credentials keys."""
import kopf
from openstack_operator import utils
@kopf.on.resume('identity.openstack.org', 'v1alpha1', 'keystones')
@kopf.on.create('identity.openstack.org', 'v1alpha1', 'keystones')
def create_or_resume(name, spec, **_):
"""Create and re-sync any Keystone instances
This function is called when a new resource is created but also when we
start the service up for the first time.
"""
utils.create_or_update('keystone/deployment.yml.j2',
name=name, spec=spec)
utils.create_or_update('keystone/service.yml.j2',
name=name, spec=spec)

+ 74
- 0
openstack_operator/templates/keystone/deployment.yml.j2 View File

@ -0,0 +1,74 @@
---
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: keystone-{{ name }}
labels:
{{ labels("keystone", name) | indent(4) }}
spec:
replicas: 3
selector:
matchLabels:
{{ labels("keystone", name) | indent(6) }}
template:
metadata:
labels:
{{ labels("keystone", name) | indent(8) }}
spec:
containers:
- name: keystone
image: vexxhost/keystone:latest
imagePullPolicy: Always
ports:
- name: keystone
containerPort: 5000
livenessProbe:
httpGet:
path: /
port: keystone
readinessProbe:
httpGet:
path: /
port: keystone
resources:
limits:
cpu: 1000m
ephemeral-storage: 500M
memory: 256M
requests:
cpu: 500m
ephemeral-storage: 500M
memory: 128M
securityContext:
runAsUser: 65534
runAsGroup: 65534
volumeMounts:
- mountPath: /etc/keystone
name: config
volumes:
- name: config
hostPath:
path: {{ spec['configDir'] }}
type: Directory
{% if 'nodeSelector' in spec %}
nodeSelector:
{{ spec.nodeSelector | to_yaml | indent(8) }}
{% endif %}
{% if 'tolerations' in spec %}
tolerations:
{{ spec.tolerations | to_yaml | indent(8) }}
{% endif %}

+ 28
- 0
openstack_operator/templates/keystone/service.yml.j2 View File

@ -0,0 +1,28 @@
---
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Service
metadata:
name: keystone-{{ name }}
spec:
type: ClusterIP
ports:
- name: keystone
port: 80
protocol: TCP
targetPort: keystone
selector:
{{ labels("keystone", name) | indent(4) }}

+ 1
- 1
playbooks/functional/devstack.yaml View File

@ -17,7 +17,7 @@
- hosts: all
tasks:
- name: Get Memcached IP address
command: kubectl get svc/mcrouter-memcached-sample -o=jsonpath='{.spec.clusterIP}'
command: kubectl get svc/mcrouter-memcached-devstack -o=jsonpath='{.spec.clusterIP}'
register: _memcached_ip
- name: Get RabbitMQ IP address
command: kubectl get svc/rabbitmq-sample -o=jsonpath='{.spec.clusterIP}'


+ 2
- 2
playbooks/functional/tests/memcached.yaml View File

@ -22,7 +22,7 @@
name: wait-for-pods
- name: Get all pod IPs for Memcached
command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
register: _memcached_ips
until: _memcached_ips is success
retries: 10
@ -41,7 +41,7 @@
failed_when: "'memcached_up 1' not in _metrics.content"
- name: Get all pod IPs for Mcrouter
command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
register: _mcrouter_ips
until: _mcrouter_ips is success
retries: 10


+ 14
- 10
zuul.d/functional-jobs.yaml View File

@ -20,37 +20,41 @@
jobs:
- openstack-operator:functional:
dependencies:
- name: openstack-operator:images:build:mcrouter-exporter
soft: true
- name: openstack-operator:images:build:horizon
- name: openstack-operator:images:build:ceilometer
soft: true
- name: openstack-operator:images:build:rabbitmq
soft: true
- name: openstack-operator:images:build:ceilometer
- name: openstack-operator:images:build:keystone
soft: true
- name: openstack-operator:images:build:memcached-exporter
- name: openstack-operator:images:build:horizon
soft: true
- name: openstack-operator:images:build:memcached
soft: true
- name: openstack-operator:images:build:mcrouter
soft: true
- openstack-operator:images:build:openstack-operator
- name: openstack-operator:images:build:mcrouter-exporter
soft: true
- name: openstack-operator:images:build:memcached-exporter
soft: true
gate:
jobs:
- openstack-operator:functional:
dependencies:
- name: openstack-operator:images:upload:mcrouter-exporter
soft: true
- name: openstack-operator:images:upload:horizon
- name: openstack-operator:images:upload:ceilometer
soft: true
- name: openstack-operator:images:upload:rabbitmq
soft: true
- name: openstack-operator:images:upload:ceilometer
- name: openstack-operator:images:upload:keystone
soft: true
- name: openstack-operator:images:upload:memcached-exporter
- name: openstack-operator:images:upload:horizon
soft: true
- name: openstack-operator:images:upload:memcached
soft: true
- name: openstack-operator:images:upload:mcrouter
soft: true
- openstack-operator:images:upload:openstack-operator
- name: openstack-operator:images:upload:mcrouter-exporter
soft: true
- name: openstack-operator:images:upload:memcached-exporter
soft: true

+ 4
- 0
zuul.d/horizon-jobs.yaml View File

@ -6,6 +6,8 @@
docker_images:
- context: images/horizon
repository: vexxhost/horizon
dependencies:
- openstack-operator:images:build:openstack-operator
files: &id002
- ^images/horizon/.*
- job:
@ -13,6 +15,8 @@
parent: vexxhost-upload-docker-image
provides: openstack-operator:image:horizon
vars: *id001
dependencies:
- openstack-operator:images:upload:openstack-operator
files: *id002
- job:
name: openstack-operator:images:promote:horizon


+ 35
- 0
zuul.d/keystone-jobs.yaml View File

@ -0,0 +1,35 @@
- job:
name: openstack-operator:images:build:keystone
parent: vexxhost-build-docker-image
provides: openstack-operator:image:keystone
vars: &id001
docker_images:
- context: images/keystone
repository: vexxhost/keystone
dependencies:
- openstack-operator:images:build:openstack-operator
files: &id002
- ^images/keystone/.*
- job:
name: openstack-operator:images:upload:keystone
parent: vexxhost-upload-docker-image
provides: openstack-operator:image:keystone
vars: *id001
dependencies:
- openstack-operator:images:upload:openstack-operator
files: *id002
- job:
name: openstack-operator:images:promote:keystone
parent: vexxhost-promote-docker-image
vars: *id001
files: *id002
- project:
check:
jobs:
- openstack-operator:images:build:keystone
gate:
jobs:
- openstack-operator:images:upload:keystone
promote:
jobs:
- openstack-operator:images:promote:keystone

Loading…
Cancel
Save