summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-05-24 13:43:42 +0000
committerGerrit Code Review <review@openstack.org>2017-05-24 13:43:42 +0000
commit21eb5de7b971b7aec2621b230c356ab227810446 (patch)
tree47df48ec8fbf2ce580cdd39428e3f2704538b365
parent907eeb28da0a03abb5b1c6702e53a32b576fec29 (diff)
parent12a3cc01ca556ce77a4556fc4d691061f509feba (diff)
Merge "Enable custom keystone endpoint_type in templates" into stable/ocata
-rw-r--r--devstack/lib/magnum1
-rw-r--r--install-guide/source/common/configure_2_edit_magnum_conf.rst6
-rw-r--r--magnum/conf/trust.py5
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh2
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh2
-rw-r--r--magnum/drivers/common/templates/swarm/fragments/make-cert.py2
-rw-r--r--magnum/drivers/heat/template_def.py5
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml2
-rw-r--r--magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml2
-rw-r--r--magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py2
-rw-r--r--magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py2
-rw-r--r--magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py2
-rw-r--r--releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml5
13 files changed, 24 insertions, 14 deletions
diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index 5f04c45..0a2c698 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -208,6 +208,7 @@ function create_magnum_conf {
208 iniset $MAGNUM_CONF trust trustee_domain_name magnum 208 iniset $MAGNUM_CONF trust trustee_domain_name magnum
209 iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin 209 iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
210 iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD 210 iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
211 iniset $MAGNUM_CONF trust trustee_keystone_interface public
211 iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME 212 iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
212 213
213 if is_service_enabled swift; then 214 if is_service_enabled swift; then
diff --git a/install-guide/source/common/configure_2_edit_magnum_conf.rst b/install-guide/source/common/configure_2_edit_magnum_conf.rst
index 0e035bb..a3b6544 100644
--- a/install-guide/source/common/configure_2_edit_magnum_conf.rst
+++ b/install-guide/source/common/configure_2_edit_magnum_conf.rst
@@ -76,11 +76,17 @@
76 trustee_domain_name = magnum 76 trustee_domain_name = magnum
77 trustee_domain_admin_name = magnum_domain_admin 77 trustee_domain_admin_name = magnum_domain_admin
78 trustee_domain_admin_password = DOMAIN_ADMIN_PASS 78 trustee_domain_admin_password = DOMAIN_ADMIN_PASS
79 trustee_keystone_interface = KEYSTONE_INTERFACE
79 80
80 Replace MAGNUM_PASS with the password you chose for the magnum user in the 81 Replace MAGNUM_PASS with the password you chose for the magnum user in the
81 Identity service and DOMAIN_ADMIN_PASS with the password you chose for the 82 Identity service and DOMAIN_ADMIN_PASS with the password you chose for the
82 ``magnum_domain_admin`` user. 83 ``magnum_domain_admin`` user.
83 84
85 Replace KEYSTONE_INTERFACE with either ``public`` or ``internal``
86 depending on your network configuration. If your instances cannot reach
87 internal keystone endpoint which is often the case in production
88 environments it should be set to ``public``. Default to ``public``
89
84 * In the ``[oslo_messaging_notifications]`` section, configure the 90 * In the ``[oslo_messaging_notifications]`` section, configure the
85 ``driver``: 91 ``driver``:
86 92
diff --git a/magnum/conf/trust.py b/magnum/conf/trust.py
index ffa25e8..eb5c826 100644
--- a/magnum/conf/trust.py
+++ b/magnum/conf/trust.py
@@ -50,7 +50,10 @@ trust_opts = [
50 cfg.ListOpt('roles', 50 cfg.ListOpt('roles',
51 default=[], 51 default=[],
52 help=_('The roles which are delegated to the trustee ' 52 help=_('The roles which are delegated to the trustee '
53 'by the trustor')) 53 'by the trustor')),
54 cfg.StrOpt('trustee_keystone_interface',
55 default='public',
56 help=_('Auth interface used by instances/trustee'))
54] 57]
55 58
56 59
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
index 97d9bf4..414a3bc 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@@ -55,8 +55,6 @@ auth_json=$(cat << EOF
55EOF 55EOF
56) 56)
57 57
58#trust is introduced in Keystone v3 version
59AUTH_URL=${AUTH_URL/v2.0/v3}
60content_type='Content-Type: application/json' 58content_type='Content-Type: application/json'
61url="$AUTH_URL/auth/tokens" 59url="$AUTH_URL/auth/tokens"
62USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ 60USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index 4eaad62..452f984 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -77,8 +77,6 @@ auth_json=$(cat << EOF
77EOF 77EOF
78) 78)
79 79
80#trust is introduced in Keystone v3 version
81AUTH_URL=${AUTH_URL/v2.0/v3}
82content_type='Content-Type: application/json' 80content_type='Content-Type: application/json'
83url="$AUTH_URL/auth/tokens" 81url="$AUTH_URL/auth/tokens"
84USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \ 82USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
index 896beac..844b035 100644
--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@@ -160,7 +160,7 @@ def get_user_token(config):
160 } 160 }
161 creds = creds_str % params 161 creds = creds_str % params
162 headers = {'Content-Type': 'application/json'} 162 headers = {'Content-Type': 'application/json'}
163 url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens' 163 url = config['AUTH_URL'] + '/auth/tokens'
164 r = requests.post(url, headers=headers, data=creds) 164 r = requests.post(url, headers=headers, data=creds)
165 config['USER_TOKEN'] = r.headers['X-Subject-Token'] 165 config['USER_TOKEN'] = r.headers['X-Subject-Token']
166 return config 166 return config
diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
index 4a3b7e0..6f39dee 100644
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@@ -252,7 +252,10 @@ class BaseTemplateDefinition(TemplateDefinition):
252 else: 252 else:
253 extra_params['trust_id'] = "" 253 extra_params['trust_id'] = ""
254 254
255 extra_params['auth_url'] = context.auth_url 255 extra_params['auth_url'] = osc.url_for(
256 service_type='identity',
257 interface=CONF.trust.trustee_keystone_interface,
258 version=3)
256 259
257 return super(BaseTemplateDefinition, 260 return super(BaseTemplateDefinition,
258 self).get_params(context, cluster_template, cluster, 261 self).get_params(context, cluster_template, cluster,
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
index da290e5..ed0121c 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -68,8 +68,6 @@ write_files:
68 } 68 }
69 EOF 69 EOF
70 70
71 #trust is introduced in Keystone v3 version
72 AUTH_URL=${AUTH_URL/v2.0/v3}
73 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ 71 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
74 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` 72 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
75 73
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index cc9196d..bebc7cc 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -91,8 +91,6 @@ write_files:
91 } 91 }
92 EOF 92 EOF
93 93
94 #trust is introduced in Keystone v3 version
95 AUTH_URL=${AUTH_URL/v2.0/v3}
96 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ 94 USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
97 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` 95 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
98 96
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 074539b..d15deaa 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -79,13 +79,13 @@ class TestClusterConductorWithK8s(base.TestCase):
79 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 79 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
80 'coe_version': 'fake-version', 80 'coe_version': 'fake-version',
81 } 81 }
82 self.context.auth_url = 'http://192.168.10.10:5000/v3'
83 self.context.user_name = 'fake_user' 82 self.context.user_name = 'fake_user'
84 self.context.tenant = 'fake_tenant' 83 self.context.tenant = 'fake_tenant'
85 osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') 84 osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
86 self.mock_osc_class = osc_patcher.start() 85 self.mock_osc_class = osc_patcher.start()
87 self.addCleanup(osc_patcher.stop) 86 self.addCleanup(osc_patcher.stop)
88 self.mock_osc = mock.MagicMock() 87 self.mock_osc = mock.MagicMock()
88 self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
89 self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1' 89 self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
90 self.mock_osc.cinder_region_name.return_value = 'RegionOne' 90 self.mock_osc.cinder_region_name.return_value = 'RegionOne'
91 self.mock_keystone = mock.MagicMock() 91 self.mock_keystone = mock.MagicMock()
diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
index c21f3b6..2939acf 100644
--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
@@ -67,7 +67,6 @@ class TestClusterConductorWithMesos(base.TestCase):
67 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 67 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
68 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', 68 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
69 } 69 }
70 self.context.auth_url = 'http://192.168.10.10:5000/v3'
71 self.context.user_name = 'mesos_user' 70 self.context.user_name = 'mesos_user'
72 self.context.tenant = 'admin' 71 self.context.tenant = 'admin'
73 self.context.domain_name = 'domainname' 72 self.context.domain_name = 'domainname'
@@ -80,6 +79,7 @@ class TestClusterConductorWithMesos(base.TestCase):
80 self.mock_keystone.trustee_domain_id = 'trustee_domain_id' 79 self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
81 self.mock_osc.keystone.return_value = self.mock_keystone 80 self.mock_osc.keystone.return_value = self.mock_keystone
82 self.mock_osc_class.return_value = self.mock_osc 81 self.mock_osc_class.return_value = self.mock_osc
82 self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
83 83
84 @patch('magnum.objects.ClusterTemplate.get_by_uuid') 84 @patch('magnum.objects.ClusterTemplate.get_by_uuid')
85 @patch('magnum.drivers.common.driver.Driver.get_driver') 85 @patch('magnum.drivers.common.driver.Driver.get_driver')
diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
index b61cc65..e0085f1 100644
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@@ -85,11 +85,11 @@ class TestClusterConductorWithSwarm(base.TestCase):
85 self.addCleanup(osc_patcher.stop) 85 self.addCleanup(osc_patcher.stop)
86 self.mock_osc = mock.MagicMock() 86 self.mock_osc = mock.MagicMock()
87 self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1' 87 self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
88 self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
88 self.mock_keystone = mock.MagicMock() 89 self.mock_keystone = mock.MagicMock()
89 self.mock_keystone.trustee_domain_id = 'trustee_domain_id' 90 self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
90 self.mock_osc.keystone.return_value = self.mock_keystone 91 self.mock_osc.keystone.return_value = self.mock_keystone
91 self.mock_osc_class.return_value = self.mock_osc 92 self.mock_osc_class.return_value = self.mock_osc
92 self.context.auth_url = 'http://192.168.10.10:5000/v3'
93 93
94 @patch('requests.get') 94 @patch('requests.get')
95 @patch('magnum.objects.ClusterTemplate.get_by_uuid') 95 @patch('magnum.objects.ClusterTemplate.get_by_uuid')
diff --git a/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml b/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml
new file mode 100644
index 0000000..65db0ca
--- /dev/null
+++ b/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml
@@ -0,0 +1,5 @@
1---
2features:
3 - Keystone URL used by Cluster Templates instances to authenticate is now
4 configurable with the ``trustee_keystone_interface`` parameter
5 which default to ``public``.