Merge "Create keystone config secret in operator"

This commit is contained in:
Zuul 2020-08-06 02:14:13 +00:00 committed by Gerrit Code Review
commit a8d1e20039
3 changed files with 47 additions and 106 deletions

View File

@ -16,110 +16,18 @@
# install_keystone() - Collect source and prepare
function install_keystone {
echo "Both installation and startup are included in the deployment of keystone crd."
echo noop
}
export -f install_keystone
# configure_keystone() - Set config files, create data dirs, etc
function configure_keystone {
sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
install -m 600 /dev/null $KEYSTONE_CONF
fi
# Populate ``keystone.conf``
if is_service_enabled ldap; then
iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
fi
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"
# Enable caching
iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE
iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND
iniset $KEYSTONE_CONF cache memcache_servers "mcrouter-memcached-keystone:11211"
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_port=$KEYSTONE_AUTH_PORT_INT
fi
# Override the endpoints advertised by keystone (the public_endpoint and
# admin_endpoint) so that clients use the correct endpoint. By default, the
# keystone server uses the public_port and admin_port which isn't going to
# work when you want to use a different port (in the case of proxy), or you
# don't want the port (in the case of putting keystone on a path in
# apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
fi
# Get mysql password
KEYSTONE_DATABASE_USER=$(get_data_from_secret keystone-mysql openstack USER)
KEYSTONE_DATABASE_PASSWORD=$(get_data_from_secret keystone-mysql openstack PASSWORD)
KEYSTONE_DATABASE_NAME=$(get_data_from_secret keystone-mysql openstack DATABASE)
iniset $KEYSTONE_CONF database connection "mysql+pymysql://$KEYSTONE_DATABASE_USER:$KEYSTONE_DATABASE_PASSWORD@keystone-mysql/$KEYSTONE_DATABASE_NAME?charset=utf8"
# Set up logging
if [ "$SYSLOG" != "False" ]; then
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
fi
# Format logging
setup_logging $KEYSTONE_CONF
iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
_config_keystone_apache_wsgi
else # uwsgi
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
# Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
# The users from this project are globally admin as before, but it also
# allows policy changes in order to clarify the adminess scope.
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default
#iniset $KEYSTONE_CONF resource admin_project_name admin
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
echo noop
}
# init_keystone() - Initialize databases, etc.
function init_keystone {
kubectl create secret generic keystone-config --from-file=/etc/keystone/keystone.conf -n openstack
# NOTE(mnaser): Permissions here are bad but it's temporary so we don't care as much.
sudo chmod -Rv 777 /etc/keystone
if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
# (Re)create keystone database
recreate_database keystone
fi
echo noop
}
export -f init_keystone
@ -152,12 +60,6 @@ function start_keystone {
die $LINENO "keystone did not start"
fi
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
kubectl rollout restart statefulset/memcached-keystone
sleep 10

View File

@ -29,6 +29,7 @@ from openstack_operator import utils
TOKEN_EXPIRATION = 86400
FERNET_ROTATION_INTERVAL = 3600
ACTIVE_KEYS = int(TOKEN_EXPIRATION / FERNET_ROTATION_INTERVAL)
def _is_keystone_deployment(name, **_):
@ -60,11 +61,8 @@ def create_or_rotate_fernet_repository(name):
# Stage a new key
data['0'] = fernet.Fernet.generate_key().decode('utf-8')
# Determine number of active keys
active_keys = int(TOKEN_EXPIRATION / FERNET_ROTATION_INTERVAL)
# Determine the keys to keep and drop others
keys_to_keep = [0] + sorted_keys[-active_keys:]
keys_to_keep = [0] + sorted_keys[-ACTIVE_KEYS:]
keys = {k: base64.b64encode(v.encode('utf-8')).decode('utf-8')
for k, v in data.items() if int(k) in keys_to_keep}
@ -109,12 +107,21 @@ def create_or_resume(name, spec, **_):
username=username)
# (TODO)Replace the current admin url
# deploy mysql
if "mysql" not in spec:
spec["mysql"] = {}
database.ensure_mysql_cluster("keystone", spec["mysql"])
db_config = database.ensure_mysql_cluster("keystone", spec["mysql"])
# deploy memcached
utils.create_or_update('keystone/memcached.yml.j2', spec=spec)
# keystone config
utils.create_or_update('keystone/secret-config.yml.j2',
password=db_config["PASSWORD"],
TOKEN_EXPIRATION=TOKEN_EXPIRATION,
ACTIVE_KEYS=ACTIVE_KEYS)
# deploy keystone
utils.create_or_update('keystone/daemonset.yml.j2',
name=name, spec=spec,
config_hash=config_hash)

View File

@ -0,0 +1,32 @@
---
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Secret
metadata:
name: keystone-config
namespace: openstack
stringData:
keystone.conf: |
[cache]
enabled=true
backend = dogpile.cache.memcached
memcache_servers=mcrouter-memcached-keystone
[database]
connection="mysql+pymysql://keystone:{{ password }}@keystone-mysql:3306/keystone?charset=utf8"
[fernet_tokens]
max_active_keys = {{ ACTIVE_KEYS }}
[token]
expiration = {{ TOKEN_EXPIRATION }}