From 97501c44602ebeef778937c051a78febbd51ca9a Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Sun, 3 May 2020 14:20:00 -0400
Subject: [PATCH] Added basic keystone support

Change-Id: Ib1b143438053cb43c071bc4d4db3a6c6fc923e98
---
 .dockerignore                                 |   3 +
 .../identity.openstack.org_keystones.yaml     |  24 ++++
 chart/templates/clusterrole.yaml              |   2 +
 chart/templates/deployment.yaml               |   2 +
 .../samples/identity_v1alpha1_keystone.yaml   |   7 ++
 .../infrastructure_v1alpha1_memcached.yaml    |   2 +-
 devstack/override-defaults                    | 106 ++++++++++++++++++
 images/keystone/Dockerfile                    |  28 +++++
 images/keystone/bindep.txt                    |   3 +
 openstack_operator/keystone.py                |  37 ++++++
 .../templates/keystone/deployment.yml.j2      |  74 ++++++++++++
 .../templates/keystone/service.yml.j2         |  28 +++++
 playbooks/functional/devstack.yaml            |   2 +-
 playbooks/functional/tests/memcached.yaml     |   4 +-
 zuul.d/functional-jobs.yaml                   |  24 ++--
 zuul.d/horizon-jobs.yaml                      |   4 +
 zuul.d/keystone-jobs.yaml                     |  35 ++++++
 17 files changed, 371 insertions(+), 14 deletions(-)
 create mode 100644 .dockerignore
 create mode 100644 chart/crds/identity.openstack.org_keystones.yaml
 create mode 100644 config/samples/identity_v1alpha1_keystone.yaml
 create mode 100644 images/keystone/Dockerfile
 create mode 100644 images/keystone/bindep.txt
 create mode 100644 openstack_operator/keystone.py
 create mode 100644 openstack_operator/templates/keystone/deployment.yml.j2
 create mode 100644 openstack_operator/templates/keystone/service.yml.j2
 create mode 100644 zuul.d/keystone-jobs.yaml

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..a0adc5c6
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+.eggs
+.stestr
+.tox
diff --git a/chart/crds/identity.openstack.org_keystones.yaml b/chart/crds/identity.openstack.org_keystones.yaml
new file mode 100644
index 00000000..0fc6cca5
--- /dev/null
+++ b/chart/crds/identity.openstack.org_keystones.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: keystones.identity.openstack.org
+spec:
+  group: identity.openstack.org
+  names:
+    kind: Keystone
+    listKind: KeystoneList
+    plural: keystones
+    singular: keystone
+  scope: Namespaced
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml
index 0e70bb93..89da1440 100644
--- a/chart/templates/clusterrole.yaml
+++ b/chart/templates/clusterrole.yaml
@@ -113,6 +113,7 @@ rules:
   - identity.openstack.org
   resources:
   - services
+  - keystones
   verbs:
   - create
   - delete
@@ -125,6 +126,7 @@ rules:
   - identity.openstack.org
   resources:
   - services/status
+  - keystones/status
   verbs:
   - get
   - patch
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index adc30a43..2c2e9ad9 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -31,6 +31,8 @@ spec:
         - -m
         - openstack_operator.horizon
         - -m
+        - openstack_operator.keystone
+        - -m
         - openstack_operator.mcrouter
         - -m
         - openstack_operator.memcached
diff --git a/config/samples/identity_v1alpha1_keystone.yaml b/config/samples/identity_v1alpha1_keystone.yaml
new file mode 100644
index 00000000..a9b3c4a9
--- /dev/null
+++ b/config/samples/identity_v1alpha1_keystone.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: identity.openstack.org/v1alpha1
+kind: Keystone
+metadata:
+  name: sample
+spec:
+  configDir: /etc/keystone
diff --git a/config/samples/infrastructure_v1alpha1_memcached.yaml b/config/samples/infrastructure_v1alpha1_memcached.yaml
index 086a6f1d..05f89e10 100644
--- a/config/samples/infrastructure_v1alpha1_memcached.yaml
+++ b/config/samples/infrastructure_v1alpha1_memcached.yaml
@@ -1,7 +1,7 @@
 apiVersion: infrastructure.vexxhost.cloud/v1alpha1
 kind: Memcached
 metadata:
-  name: sample
+  name: devstack
   labels:
     monitoring: haha
 spec:
diff --git a/devstack/override-defaults b/devstack/override-defaults
index a7ef98ef..78b9f491 100644
--- a/devstack/override-defaults
+++ b/devstack/override-defaults
@@ -14,6 +14,29 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+function get_kubernetes_service_ip {
+	local svc="$1"
+
+	for i in {1..30}; do
+		ip=$(kubectl get svc/$svc -ojsonpath='{.spec.clusterIP}') && break || sleep 1;
+	done
+
+	return $ip
+}
+
+function proxy_pass_to_kubernetes {
+	local url=$1
+	local svc=$2
+
+	local ip=$(get_kubernetes_service_ip $svc)
+	local apache_conf=$(apache_site_config_for $name)
+
+	echo "ProxyPass \"${url}\" \"http://${ip}/\"" | sudo tee -a $apache_conf
+
+	enable_apache_site $name
+	restart_apache_server
+}
+
 # Gets or creates service
 # Usage: get_or_create_service <name> <type> <description>
 function get_or_create_service {
@@ -29,3 +52,86 @@ spec:
 EOF
 }
 export -f get_or_create_service
+
+# install_keystone() - Collect source and prepare
+function install_keystone {
+	cat <<EOF | kubectl apply -f-
+---
+apiVersion: identity.openstack.org/v1alpha1
+kind: Keystone
+metadata:
+  name: devstack
+spec:
+  configDir: ${KEYSTONE_CONF_DIR}
+EOF
+}
+export -f install_keystone
+
+# init_keystone() - Initialize databases, etc.
+function init_keystone {
+	if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
+		# (Re)create keystone database
+		recreate_database keystone
+	fi
+
+	time_start "dbsync"
+	kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF db_sync
+	time_stop "dbsync"
+
+	if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then
+		rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/"
+		kubectl exec deploy/keystone-devstack keystone-manage --config-file $KEYSTONE_CONF fernet_setup
+	fi
+
+	rm -rf "$KEYSTONE_CONF_DIR/credential-keys/"
+	kubectl exec deploy/keystone-devstack -- keystone-manage --config-file $KEYSTONE_CONF credential_setup
+}
+export -f init_keystone
+
+# start_keystone() - Start running processes
+function start_keystone {
+	# Get right service port for testing
+	local service_port=$KEYSTONE_SERVICE_PORT
+	local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
+	if is_service_enabled tls-proxy; then
+		service_port=$KEYSTONE_SERVICE_PORT_INT
+		auth_protocol="http"
+	fi
+
+	proxy_pass_to_kubernetes /identity keystone-devstack
+
+	echo "Waiting for keystone to start..."
+	# Check that the keystone service is running. Even if the tls tunnel
+	# should be enabled, make sure the internal port is checked using
+	# unencryted traffic at this point.
+	# If running in Apache, use the path rather than port.
+
+	local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
+
+	if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
+		die $LINENO "keystone did not start"
+	fi
+
+	# Start proxies if enabled
+	if is_service_enabled tls-proxy; then
+		start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+		start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
+	fi
+
+	# (re)start memcached to make sure we have a clean memcache.
+	kubectl rollout restart statefulset/memcached-devstack
+}
+export -f start_keystone
+
+function bootstrap_keystone {
+	kubectl exec deploy/keystone-devstack -- keystone-manage bootstrap \
+		--bootstrap-username admin \
+		--bootstrap-password "$ADMIN_PASSWORD" \
+		--bootstrap-project-name admin \
+		--bootstrap-role-name admin \
+		--bootstrap-service-name keystone \
+		--bootstrap-region-id "$REGION_NAME" \
+		--bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
+		--bootstrap-public-url "$KEYSTONE_SERVICE_URI"
+}
+export -f bootstrap_keystone
diff --git a/images/keystone/Dockerfile b/images/keystone/Dockerfile
new file mode 100644
index 00000000..b271814f
--- /dev/null
+++ b/images/keystone/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM docker.io/opendevorg/python-builder as builder
+COPY bindep.txt /tmp/src/bindep.txt
+RUN assemble keystone==16.0.0 \
+             msgpack===0.6.1 \
+             PyMySQL \
+	     python-memcached
+
+FROM docker.io/opendevorg/uwsgi-base
+COPY --from=builder /output/ /output
+RUN /output/install-from-bindep
+EXPOSE 5000
+ENV UWSGI_HTTP_SOCKET=:5000 \
+    UWSGI_WSGI_FILE=/usr/local/bin/keystone-wsgi-public
diff --git a/images/keystone/bindep.txt b/images/keystone/bindep.txt
new file mode 100644
index 00000000..4097614b
--- /dev/null
+++ b/images/keystone/bindep.txt
@@ -0,0 +1,3 @@
+gcc [compile]
+libc-dev [compile]
+libssl-dev [compile]
diff --git a/openstack_operator/keystone.py b/openstack_operator/keystone.py
new file mode 100644
index 00000000..ff359f63
--- /dev/null
+++ b/openstack_operator/keystone.py
@@ -0,0 +1,37 @@
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Keystone Operator
+
+This module maintains the operator for Keystone which does everything from
+deployment to taking care of rotating fernet & credentials keys."""
+
+import kopf
+
+from openstack_operator import utils
+
+
+@kopf.on.resume('identity.openstack.org', 'v1alpha1', 'keystones')
+@kopf.on.create('identity.openstack.org', 'v1alpha1', 'keystones')
+def create_or_resume(name, spec, **_):
+    """Create and re-sync any Keystone instances
+
+    This function is called when a new resource is created but also when we
+    start the service up for the first time.
+    """
+
+    utils.create_or_update('keystone/deployment.yml.j2',
+                           name=name, spec=spec)
+    utils.create_or_update('keystone/service.yml.j2',
+                           name=name, spec=spec)
diff --git a/openstack_operator/templates/keystone/deployment.yml.j2 b/openstack_operator/templates/keystone/deployment.yml.j2
new file mode 100644
index 00000000..93544813
--- /dev/null
+++ b/openstack_operator/templates/keystone/deployment.yml.j2
@@ -0,0 +1,74 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keystone-{{ name }}
+  labels:
+    {{ labels("keystone", name) | indent(4) }}
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      {{ labels("keystone", name) | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("keystone", name) | indent(8) }}
+    spec:
+      containers:
+      - name: keystone
+        image: vexxhost/keystone:latest
+        imagePullPolicy: Always
+        ports:
+        - name: keystone
+          containerPort: 5000
+        livenessProbe:
+          httpGet:
+            path: /
+            port: keystone
+        readinessProbe:
+          httpGet:
+            path: /
+            port: keystone
+        resources:
+          limits:
+            cpu: 1000m
+            ephemeral-storage: 500M
+            memory: 256M
+          requests:
+            cpu: 500m
+            ephemeral-storage: 500M
+            memory: 128M
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+        volumeMounts:
+        - mountPath: /etc/keystone
+          name: config
+      volumes:
+      - name: config
+        hostPath:
+          path: {{ spec['configDir'] }}
+          type: Directory
+{% if 'nodeSelector' in spec %}
+      nodeSelector:
+        {{ spec.nodeSelector | to_yaml | indent(8) }}
+{% endif %}
+{% if 'tolerations' in spec %}
+      tolerations:
+        {{ spec.tolerations | to_yaml | indent(8) }}
+{% endif %}
diff --git a/openstack_operator/templates/keystone/service.yml.j2 b/openstack_operator/templates/keystone/service.yml.j2
new file mode 100644
index 00000000..8ac649cf
--- /dev/null
+++ b/openstack_operator/templates/keystone/service.yml.j2
@@ -0,0 +1,28 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: keystone-{{ name }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: keystone
+    port: 80
+    protocol: TCP
+    targetPort: keystone
+  selector:
+    {{ labels("keystone", name) | indent(4) }}
diff --git a/playbooks/functional/devstack.yaml b/playbooks/functional/devstack.yaml
index e7c2b5d0..ecdeb9ea 100644
--- a/playbooks/functional/devstack.yaml
+++ b/playbooks/functional/devstack.yaml
@@ -17,7 +17,7 @@
 - hosts: all
   tasks:
     - name: Get Memcached IP address
-      command: kubectl get svc/mcrouter-memcached-sample -o=jsonpath='{.spec.clusterIP}'
+      command: kubectl get svc/mcrouter-memcached-devstack -o=jsonpath='{.spec.clusterIP}'
       register: _memcached_ip
     - name: Get RabbitMQ IP address
       command: kubectl get svc/rabbitmq-sample -o=jsonpath='{.spec.clusterIP}'
diff --git a/playbooks/functional/tests/memcached.yaml b/playbooks/functional/tests/memcached.yaml
index 459a03dc..4b30a829 100644
--- a/playbooks/functional/tests/memcached.yaml
+++ b/playbooks/functional/tests/memcached.yaml
@@ -22,7 +22,7 @@
     name: wait-for-pods
 
 - name: Get all pod IPs for Memcached
-  command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
+  command: kubectl get pods -l app.kubernetes.io/name=memcached,app.kubernetes.io/instance=devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
   register: _memcached_ips
   until: _memcached_ips is success
   retries: 10
@@ -41,7 +41,7 @@
   failed_when: "'memcached_up 1' not in _metrics.content"
 
 - name: Get all pod IPs for Mcrouter
-  command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-sample -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
+  command: kubectl get pods -l app.kubernetes.io/name=mcrouter,app.kubernetes.io/instance=memcached-devstack -o=jsonpath='{range .items[*]}{.status.podIP}{"\n"}{end}'
   register: _mcrouter_ips
   until: _mcrouter_ips is success
   retries: 10
diff --git a/zuul.d/functional-jobs.yaml b/zuul.d/functional-jobs.yaml
index 727a4618..abf11f0b 100644
--- a/zuul.d/functional-jobs.yaml
+++ b/zuul.d/functional-jobs.yaml
@@ -20,37 +20,41 @@
       jobs:
       - openstack-operator:functional:
           dependencies:
-          - name: openstack-operator:images:build:mcrouter-exporter
-            soft: true
-          - name: openstack-operator:images:build:horizon
+          - name: openstack-operator:images:build:ceilometer
             soft: true
           - name: openstack-operator:images:build:rabbitmq
             soft: true
-          - name: openstack-operator:images:build:ceilometer
+          - name: openstack-operator:images:build:keystone
             soft: true
-          - name: openstack-operator:images:build:memcached-exporter
+          - name: openstack-operator:images:build:horizon
             soft: true
           - name: openstack-operator:images:build:memcached
             soft: true
           - name: openstack-operator:images:build:mcrouter
             soft: true
           - openstack-operator:images:build:openstack-operator
+          - name: openstack-operator:images:build:mcrouter-exporter
+            soft: true
+          - name: openstack-operator:images:build:memcached-exporter
+            soft: true
     gate:
       jobs:
       - openstack-operator:functional:
           dependencies:
-          - name: openstack-operator:images:upload:mcrouter-exporter
-            soft: true
-          - name: openstack-operator:images:upload:horizon
+          - name: openstack-operator:images:upload:ceilometer
             soft: true
           - name: openstack-operator:images:upload:rabbitmq
             soft: true
-          - name: openstack-operator:images:upload:ceilometer
+          - name: openstack-operator:images:upload:keystone
             soft: true
-          - name: openstack-operator:images:upload:memcached-exporter
+          - name: openstack-operator:images:upload:horizon
             soft: true
           - name: openstack-operator:images:upload:memcached
             soft: true
           - name: openstack-operator:images:upload:mcrouter
             soft: true
           - openstack-operator:images:upload:openstack-operator
+          - name: openstack-operator:images:upload:mcrouter-exporter
+            soft: true
+          - name: openstack-operator:images:upload:memcached-exporter
+            soft: true
diff --git a/zuul.d/horizon-jobs.yaml b/zuul.d/horizon-jobs.yaml
index 2da2675f..839277b4 100644
--- a/zuul.d/horizon-jobs.yaml
+++ b/zuul.d/horizon-jobs.yaml
@@ -6,6 +6,8 @@
       docker_images:
       - context: images/horizon
         repository: vexxhost/horizon
+    dependencies:
+    - openstack-operator:images:build:openstack-operator
     files: &id002
     - ^images/horizon/.*
 - job:
@@ -13,6 +15,8 @@
     parent: vexxhost-upload-docker-image
     provides: openstack-operator:image:horizon
     vars: *id001
+    dependencies:
+    - openstack-operator:images:upload:openstack-operator
     files: *id002
 - job:
     name: openstack-operator:images:promote:horizon
diff --git a/zuul.d/keystone-jobs.yaml b/zuul.d/keystone-jobs.yaml
new file mode 100644
index 00000000..43bb0f7b
--- /dev/null
+++ b/zuul.d/keystone-jobs.yaml
@@ -0,0 +1,35 @@
+- job:
+    name: openstack-operator:images:build:keystone
+    parent: vexxhost-build-docker-image
+    provides: openstack-operator:image:keystone
+    vars: &id001
+      docker_images:
+      - context: images/keystone
+        repository: vexxhost/keystone
+    dependencies:
+    - openstack-operator:images:build:openstack-operator
+    files: &id002
+    - ^images/keystone/.*
+- job:
+    name: openstack-operator:images:upload:keystone
+    parent: vexxhost-upload-docker-image
+    provides: openstack-operator:image:keystone
+    vars: *id001
+    dependencies:
+    - openstack-operator:images:upload:openstack-operator
+    files: *id002
+- job:
+    name: openstack-operator:images:promote:keystone
+    parent: vexxhost-promote-docker-image
+    vars: *id001
+    files: *id002
+- project:
+    check:
+      jobs:
+      - openstack-operator:images:build:keystone
+    gate:
+      jobs:
+      - openstack-operator:images:upload:keystone
+    promote:
+      jobs:
+      - openstack-operator:images:promote:keystone