summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathieu Velten <mathieu.velten@cern.ch>2017-03-13 18:33:47 +0100
committerMathieu Velten <mathieu.velten@cern.ch>2017-05-09 17:48:59 +0200
commit73f4d639c52899afd81fee6ffb374b4ecd9140f0 (patch)
tree027ee258cd792c316cadc0912b2372162ecb11be
parent134df59fb1d8f482b562d072092f84028d963272 (diff)
Fix usage of the trustee user in K8S Cinder plugin
Notes
Notes (review): Code-Review+2: Spyros Trigazis <strigazi@gmail.com> Code-Review+1: Kevin Lefevre <lefevre.kevin@gmail.com> Code-Review+2: Ton Ngo <ton@us.ibm.com> Workflow+1: Ton Ngo <ton@us.ibm.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Wed, 10 May 2017 04:28:08 +0000 Reviewed-on: https://review.openstack.org/456501 Project: openstack/magnum Branch: refs/heads/stable/ocata
-rw-r--r--doc/source/dev/kubernetes-load-balancer.rst55
-rw-r--r--doc/source/userguide.rst51
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh24
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh44
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml1
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml2
-rw-r--r--magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh9
-rw-r--r--magnum/drivers/heat/template_def.py14
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml1
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml5
-rw-r--r--magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml9
-rw-r--r--magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py2
-rw-r--r--specs/containers-service.rst2
13 files changed, 50 insertions, 169 deletions
diff --git a/doc/source/dev/kubernetes-load-balancer.rst b/doc/source/dev/kubernetes-load-balancer.rst
index 34360ec..c744393 100644
--- a/doc/source/dev/kubernetes-load-balancer.rst
+++ b/doc/source/dev/kubernetes-load-balancer.rst
@@ -78,57 +78,7 @@ neutron_lbaas.conf::
78 78
79To configure LBaaS v1 or v2, refer to the Neutron documentation. 79To configure LBaaS v1 or v2, refer to the Neutron documentation.
80 80
81To enable the load balancer, log into each master node of your cluster and 81Before deleting the Kubernetes cluster, make sure to
82perform the following steps:
83
841. Configure kube-apiserver::
85
86 sudo vi /etc/kubernetes/apiserver
87
88 Comment out the line::
89
90 #KUBE_API_ARGS="--runtime_config=api/all=true"
91
92 Uncomment the line::
93
94 KUBE_API_ARGS="--runtime_config=api/all=true --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"""
95
962. Configure kube-controller-manager::
97
98 sudo vi /etc/kubernetes/manifests/kube-controller-manager.yaml
99
100 Immediately after the lines::
101
102 - controller-manager
103 - --master=http://127.0.0.1:8080
104 - --service-account-private-key-file=/etc/kubernetes/ssl/server.key
105 - --root-ca-file=/etc/kubernetes/ssl/ca.crt
106
107 Add the following lines::
108
109 - --cloud_config=/etc/sysconfig/kube_openstack_config
110 - --cloud_provider=openstack
111
112 When the file is saved, the pod will automatically restart the
113 kube-controller-manager container to pick up the change.
114
1153. Enter OpenStack user credential::
116
117 sudo vi /etc/sysconfig/kube_openstack_config
118
119 The username and tenant-name entries have been filled in with the
120 Keystone values of the user who created the cluster. Enter the password
121 of this user on the entry for password::
122
123 password=ChangeMe
124
1254. Restart the Kubernetes API server::
126
127 sudo service kube-apiserver restart
128 service kube-apiserver status
129
130This only needs to be done once. The steps can be reversed to disable the
131load balancer feature. Before deleting the Kubernetes cluster, make sure to
132delete all the services that created load balancers. Because the Neutron 82delete all the services that created load balancers. Because the Neutron
133objects created by Kubernetes are not managed by Heat, they will not be 83objects created by Kubernetes are not managed by Heat, they will not be
134deleted by Heat and this will cause the cluster-delete operation to fail. If 84deleted by Heat and this will cause the cluster-delete operation to fail. If
@@ -138,6 +88,9 @@ lb-healthmonitor) and then run cluster-delete again.
138Steps for the users 88Steps for the users
139=================== 89===================
140 90
91This feature requires the OpenStack cloud provider to be enabled.
92To do so, enable the cinder support (--volume-driver cinder).
93
141For the user, publishing the service endpoint externally involves the following 94For the user, publishing the service endpoint externally involves the following
1422 steps: 952 steps:
143 96
diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst
index f640d85..4aa4c58 100644
--- a/doc/source/userguide.rst
+++ b/doc/source/userguide.rst
@@ -2202,12 +2202,8 @@ Following are some examples for using Cinder as persistent storage.
2202Using Cinder in Kubernetes 2202Using Cinder in Kubernetes
2203++++++++++++++++++++++++++ 2203++++++++++++++++++++++++++
2204 2204
2205**NOTE:** This feature requires Kubernetes version 1.1.1 or above and 2205**NOTE:** This feature requires Kubernetes version 1.5.0 or above.
2206Docker version 1.8.3 or above. The public Fedora image from Atomic 2206The public Fedora image from Atomic currently meets this requirement.
2207currently meets this requirement.
2208
2209**NOTE:** The following steps are a temporary workaround, and Magnum's
2210development team is working on a long term solution to automate these steps.
2211 2207
22121. Create the ClusterTemplate. 22081. Create the ClusterTemplate.
2213 2209
@@ -2230,49 +2226,6 @@ development team is working on a long term solution to automate these steps.
2230 --cluster-template k8s-cluster-template \ 2226 --cluster-template k8s-cluster-template \
2231 --node-count 1 2227 --node-count 1
2232 2228
2233
22343. Configure kubelet.
2235
2236 To allow Kubernetes to interface with Cinder, log into each minion
2237 node of your cluster and perform step 4 through 6::
2238
2239 sudo vi /etc/kubernetes/kubelet
2240
2241 Comment out the line::
2242
2243 #KUBELET_ARGS=--config=/etc/kubernetes/manifests --cadvisor-port=4194
2244
2245 Uncomment the line::
2246
2247 #KUBELET_ARGS="--config=/etc/kubernetes/manifests --cadvisor-port=4194 --cloud-provider=openstack --cloud-config=/etc/kubernetes/kube_openstack_config"
2248
2249
22504. Enter OpenStack user credential::
2251
2252 sudo vi /etc/kubernetes/kube_openstack_config
2253
2254 The username, tenant-name and region entries have been filled in with the
2255 Keystone values of the user who created the cluster. Enter the password
2256 of this user on the entry for password::
2257
2258 password=ChangeMe
2259
22605. Restart Kubernetes services::
2261
2262 sudo systemctl restart kubelet
2263
2264 On restart, the new configuration enables the Kubernetes cloud provider
2265 plugin for OpenStack, along with the necessary credential for kubelet
2266 to authenticate with Keystone and to make request to OpenStack services.
2267
22686. Install nsenter::
2269
2270 sudo docker run -v /usr/local/bin:/target jpetazzo/nsenter
2271
2272 The nsenter utility is used by Kubernetes to run new processes within
2273 existing kernel namespaces. This allows the kubelet agent to manage storage
2274 for pods.
2275
2276Kubernetes is now ready to use Cinder for persistent storage. 2229Kubernetes is now ready to use Cinder for persistent storage.
2277Following is an example illustrating how Cinder is used in a pod. 2230Following is an example illustrating how Cinder is used in a pod.
2278 2231
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index 2406ad1..b038936 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -4,11 +4,6 @@
4 4
5echo "configuring kubernetes (master)" 5echo "configuring kubernetes (master)"
6 6
7if [ -z "$KUBE_NODE_IP" ]; then
8 # FIXME(yuanying): Set KUBE_NODE_IP correctly
9 KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
10fi
11
12sed -i ' 7sed -i '
13 /^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/ 8 /^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/
14' /etc/kubernetes/config 9' /etc/kubernetes/config
@@ -30,6 +25,10 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
30 KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}" 25 KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
31fi 26fi
32 27
28if [ -n "$TRUST_ID" ]; then
29 KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
30fi
31
33sed -i ' 32sed -i '
34 /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/ 33 /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
35 /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"| 34 /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
@@ -38,10 +37,7 @@ sed -i '
38 /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/ 37 /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
39' /etc/kubernetes/apiserver 38' /etc/kubernetes/apiserver
40cat << _EOC_ >> /etc/kubernetes/apiserver 39cat << _EOC_ >> /etc/kubernetes/apiserver
41#Uncomment the following line to disable Load Balancer feature
42KUBE_API_ARGS="$KUBE_API_ARGS" 40KUBE_API_ARGS="$KUBE_API_ARGS"
43#Uncomment the following line to enable Load Balancer feature
44#KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
45_EOC_ 41_EOC_
46 42
47# Add controller manager args 43# Add controller manager args
@@ -49,16 +45,18 @@ KUBE_CONTROLLER_MANAGER_ARGS=""
49if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then 45if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
50 KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key --root-ca-file=/srv/kubernetes/ca.crt" 46 KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key --root-ca-file=/srv/kubernetes/ca.crt"
51fi 47fi
48
49if [ -n "$TRUST_ID" ]; then
50 KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
51fi
52
52sed -i ' 53sed -i '
53 /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/ 54 /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
54 /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"# 55 /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
55' /etc/kubernetes/controller-manager 56' /etc/kubernetes/controller-manager
56cat << _EOC_ >> /etc/kubernetes/controller-manager
57#Uncomment the following line to enable Kubernetes Load Balancer feature
58#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
59_EOC_
60 57
61KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP" 58HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
59KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=${HOSTNAME_OVERRIDE}"
62 60
63if [ -n "${INSECURE_REGISTRY_URL}" ]; then 61if [ -n "${INSECURE_REGISTRY_URL}" ]; then
64 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:0.8.0" 62 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:0.8.0"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
index d48cbb4..3e50cba 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@@ -4,11 +4,6 @@
4 4
5echo "configuring kubernetes (minion)" 5echo "configuring kubernetes (minion)"
6 6
7if [ -z "$KUBE_NODE_IP" ]; then
8 # FIXME(yuanying): Set KUBE_NODE_IP correctly
9 KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
10fi
11
12CERT_DIR=/srv/kubernetes 7CERT_DIR=/srv/kubernetes
13PROTOCOL=https 8PROTOCOL=https
14FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \ 9FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \
@@ -52,8 +47,17 @@ sed -i '
52# The hostname of the node is set to be the Nova name of the instance, and 47# The hostname of the node is set to be the Nova name of the instance, and
53# the option --hostname-override for kubelet uses the hostname to register the node. 48# the option --hostname-override for kubelet uses the hostname to register the node.
54# Using any other name will break the load balancer and cinder volume features. 49# Using any other name will break the load balancer and cinder volume features.
55HOSTNAME=$(hostname --short | sed 's/\.novalocal//') 50HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
56KUBELET_ARGS="--config=/etc/kubernetes/manifests --cadvisor-port=4194 ${KUBE_CONFIG} --hostname-override=${HOSTNAME}" 51KUBELET_ARGS="--config=/etc/kubernetes/manifests --cadvisor-port=4194 ${KUBE_CONFIG} --hostname-override=${HOSTNAME_OVERRIDE}"
52
53if [ -n "$TRUST_ID" ]; then
54 KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/sysconfig/kube_openstack_config"
55fi
56
57# Workaround for Cinder support (fixed in k8s >= 1.6)
58if [ ! -f /usr/bin/udevadm ]; then
59 ln -s /sbin/udevadm /usr/bin/udevadm
60fi
57 61
58if [ -n "${INSECURE_REGISTRY_URL}" ]; then 62if [ -n "${INSECURE_REGISTRY_URL}" ]; then
59 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:0.8.0" 63 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:0.8.0"
@@ -86,32 +90,6 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
86 done 90 done
87fi 91fi
88 92
89if [ "$VOLUME_DRIVER" = "cinder" ]; then
90 CLOUD_CONFIG=/etc/kubernetes/kube_openstack_config
91 KUBERNETES=/etc/kubernetes
92 if [ ! -d ${KUBERNETES} -o ! -f ${CLOUD_CONFIG} ]; then
93 mkdir -p $KUBERNETES
94 fi
95 AUTH_URL=${AUTH_URL/v3/v2.0}
96cat > $CLOUD_CONFIG <<EOF
97[Global]
98auth-url=$AUTH_URL
99username=$USERNAME
100password=$PASSWORD
101region=$REGION_NAME
102tenant-name=$TENANT_NAME
103EOF
104
105cat << _EOC_ >> /etc/kubernetes/kubelet
106#KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/kubernetes/kube_openstack_config"
107_EOC_
108
109 if [ ! -f /usr/bin/udevadm ]; then
110 ln -s /sbin/udevadm /usr/bin/udevadm
111 fi
112
113fi
114
115cat >> /etc/environment <<EOF 93cat >> /etc/environment <<EOF
116KUBERNETES_MASTER=$KUBE_MASTER_URI 94KUBERNETES_MASTER=$KUBE_MASTER_URI
117EOF 95EOF
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index ec0f1f6..9fba497 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -29,6 +29,7 @@ write_files:
29 TLS_DISABLED="$TLS_DISABLED" 29 TLS_DISABLED="$TLS_DISABLED"
30 CLUSTER_UUID="$CLUSTER_UUID" 30 CLUSTER_UUID="$CLUSTER_UUID"
31 MAGNUM_URL="$MAGNUM_URL" 31 MAGNUM_URL="$MAGNUM_URL"
32 VOLUME_DRIVER="$VOLUME_DRIVER"
32 HTTP_PROXY="$HTTP_PROXY" 33 HTTP_PROXY="$HTTP_PROXY"
33 HTTPS_PROXY="$HTTPS_PROXY" 34 HTTPS_PROXY="$HTTPS_PROXY"
34 NO_PROXY="$NO_PROXY" 35 NO_PROXY="$NO_PROXY"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
index 20a98fa..d6b575f 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml
@@ -37,8 +37,6 @@ write_files:
37 WAIT_CURL="$WAIT_CURL" 37 WAIT_CURL="$WAIT_CURL"
38 KUBE_VERSION="$KUBE_VERSION" 38 KUBE_VERSION="$KUBE_VERSION"
39 TRUSTEE_USER_ID="$TRUSTEE_USER_ID" 39 TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
40 TRUSTEE_USERNAME="$TRUSTEE_USERNAME"
41 TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD" 40 TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
42 TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
43 TRUST_ID="$TRUST_ID" 41 TRUST_ID="$TRUST_ID"
44 INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL" 42 INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh b/magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh
index 2430788..924085e 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh
@@ -4,17 +4,14 @@
4 4
5KUBE_OS_CLOUD_CONFIG=/etc/sysconfig/kube_openstack_config 5KUBE_OS_CLOUD_CONFIG=/etc/sysconfig/kube_openstack_config
6 6
7# kubernetes backend only support keystone v2 at this point
8AUTH_URL=$(echo "$AUTH_URL" | sed 's/v3/v2.0/')
9
10# Generate a the configuration for Kubernetes services 7# Generate a the configuration for Kubernetes services
11# to talk to OpenStack Neutron 8# to talk to OpenStack Neutron
12cat > $KUBE_OS_CLOUD_CONFIG <<EOF 9cat > $KUBE_OS_CLOUD_CONFIG <<EOF
13[Global] 10[Global]
14auth-url=$AUTH_URL 11auth-url=$AUTH_URL
15username=$USERNAME 12user-id=$TRUSTEE_USER_ID
16password=$PASSWORD 13password=$TRUSTEE_PASSWORD
17tenant-name=$TENANT_NAME 14trust-id=$TRUST_ID
18[LoadBalancer] 15[LoadBalancer]
19subnet-id=$CLUSTER_SUBNET 16subnet-id=$CLUSTER_SUBNET
20create-monitor=yes 17create-monitor=yes
diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
index 5485c10..4a3b7e0 100644
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@@ -21,7 +21,6 @@ import six
21from magnum.common import clients 21from magnum.common import clients
22from magnum.common import exception 22from magnum.common import exception
23import magnum.conf 23import magnum.conf
24from magnum.i18n import _LE
25from magnum.i18n import _LW 24from magnum.i18n import _LW
26 25
27from requests import exceptions as req_exceptions 26from requests import exceptions as req_exceptions
@@ -247,16 +246,9 @@ class BaseTemplateDefinition(TemplateDefinition):
247 extra_params['trustee_username'] = cluster.trustee_username 246 extra_params['trustee_username'] = cluster.trustee_username
248 extra_params['trustee_password'] = cluster.trustee_password 247 extra_params['trustee_password'] = cluster.trustee_password
249 248
250 # Only pass trust ID into the template when it is needed. 249 # Only pass trust ID into the template if allowed by the config file
251 if (cluster_template.volume_driver == 'rexray' or 250 if CONF.trust.cluster_user_trust:
252 cluster_template.registry_enabled): 251 extra_params['trust_id'] = cluster.trust_id
253 if CONF.trust.cluster_user_trust:
254 extra_params['trust_id'] = cluster.trust_id
255 else:
256 missing_setting = ('trust/cluster_user_trust = True')
257 msg = _LE('This cluster can only be created with %s in '
258 'magnum.conf')
259 raise exception.ConfigInvalid(msg % missing_setting)
260 else: 252 else:
261 extra_params['trust_id'] = "" 253 extra_params['trust_id'] = ""
262 254
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 8eec685..0053284 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -438,6 +438,7 @@ resources:
438 discovery_url: {get_param: discovery_url} 438 discovery_url: {get_param: discovery_url}
439 cluster_uuid: {get_param: cluster_uuid} 439 cluster_uuid: {get_param: cluster_uuid}
440 magnum_url: {get_param: magnum_url} 440 magnum_url: {get_param: magnum_url}
441 volume_driver: {get_param: volume_driver}
441 fixed_network: {get_attr: [network, fixed_network]} 442 fixed_network: {get_attr: [network, fixed_network]}
442 fixed_subnet: {get_attr: [network, fixed_subnet]} 443 fixed_subnet: {get_attr: [network, fixed_subnet]}
443 api_pool_id: {get_attr: [api_lb, pool_id]} 444 api_pool_id: {get_attr: [api_lb, pool_id]}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index 4ea56fe..ac60e04 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -48,6 +48,10 @@ parameters:
48 constraints: 48 constraints:
49 - allowed_values: ["devicemapper", "overlay"] 49 - allowed_values: ["devicemapper", "overlay"]
50 50
51 volume_driver:
52 type: string
53 description: volume driver to use for container storage
54
51 flannel_network_cidr: 55 flannel_network_cidr:
52 type: string 56 type: string
53 description: network range for flannel overlay network 57 description: network range for flannel overlay network
@@ -264,6 +268,7 @@ resources:
264 "$TLS_DISABLED": {get_param: tls_disabled} 268 "$TLS_DISABLED": {get_param: tls_disabled}
265 "$CLUSTER_UUID": {get_param: cluster_uuid} 269 "$CLUSTER_UUID": {get_param: cluster_uuid}
266 "$MAGNUM_URL": {get_param: magnum_url} 270 "$MAGNUM_URL": {get_param: magnum_url}
271 "$VOLUME_DRIVER": {get_param: volume_driver}
267 "$HTTP_PROXY": {get_param: http_proxy} 272 "$HTTP_PROXY": {get_param: http_proxy}
268 "$HTTPS_PROXY": {get_param: https_proxy} 273 "$HTTPS_PROXY": {get_param: https_proxy}
269 "$NO_PROXY": {get_param: no_proxy} 274 "$NO_PROXY": {get_param: no_proxy}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
index 88c610d..5298a9a 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml
@@ -249,9 +249,7 @@ resources:
249 $NO_PROXY: {get_param: no_proxy} 249 $NO_PROXY: {get_param: no_proxy}
250 $KUBE_VERSION: {get_param: kube_version} 250 $KUBE_VERSION: {get_param: kube_version}
251 $WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]} 251 $WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
252 $TRUSTEE_DOMAIN_ID: {get_param: trustee_domain_id}
253 $TRUSTEE_USER_ID: {get_param: trustee_user_id} 252 $TRUSTEE_USER_ID: {get_param: trustee_user_id}
254 $TRUSTEE_USERNAME: {get_param: trustee_username}
255 $TRUSTEE_PASSWORD: {get_param: trustee_password} 253 $TRUSTEE_PASSWORD: {get_param: trustee_password}
256 $TRUST_ID: {get_param: trust_id} 254 $TRUST_ID: {get_param: trust_id}
257 $AUTH_URL: {get_param: auth_url} 255 $AUTH_URL: {get_param: auth_url}
@@ -263,6 +261,12 @@ resources:
263 group: ungrouped 261 group: ungrouped
264 config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml} 262 config: {get_file: ../../common/templates/kubernetes/fragments/write-kubeconfig.yaml}
265 263
264 write_kube_os_config:
265 type: OS::Heat::SoftwareConfig
266 properties:
267 group: ungrouped
268 config: {get_file: ../../common/templates/kubernetes/fragments/write-kube-os-config.sh}
269
266 make_cert: 270 make_cert:
267 type: OS::Heat::SoftwareConfig 271 type: OS::Heat::SoftwareConfig
268 properties: 272 properties:
@@ -352,6 +356,7 @@ resources:
352 - config: {get_resource: disable_selinux} 356 - config: {get_resource: disable_selinux}
353 - config: {get_resource: write_heat_params} 357 - config: {get_resource: write_heat_params}
354 - config: {get_resource: write_kubeconfig} 358 - config: {get_resource: write_kubeconfig}
359 - config: {get_resource: write_kube_os_config}
355 - config: {get_resource: make_cert} 360 - config: {get_resource: make_cert}
356 - config: {get_resource: kube_examples} 361 - config: {get_resource: kube_examples}
357 - config: {get_resource: configure_docker_storage} 362 - config: {get_resource: configure_docker_storage}
diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
index e3b3036..b61cc65 100644
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@@ -286,7 +286,7 @@ class TestClusterConductorWithSwarm(base.TestCase):
286 'trustee_username': 'fake_trustee', 286 'trustee_username': 'fake_trustee',
287 'trustee_password': 'fake_trustee_password', 287 'trustee_password': 'fake_trustee_password',
288 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', 288 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
289 'trust_id': '', 289 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
290 'auth_url': 'http://192.168.10.10:5000/v3', 290 'auth_url': 'http://192.168.10.10:5000/v3',
291 'swarm_version': 'fake-version', 291 'swarm_version': 'fake-version',
292 'swarm_strategy': u'spread', 292 'swarm_strategy': u'spread',
diff --git a/specs/containers-service.rst b/specs/containers-service.rst
index ca48b39..7905e14 100644
--- a/specs/containers-service.rst
+++ b/specs/containers-service.rst
@@ -175,7 +175,7 @@ with the Containers Service, and can be controlled only by a Nova virt driver.
175 |           +-------+ |  | +-----+                   | 175 |           +-------+ |  | +-----+                   |
176 |                     |  |                           | 176 |                     |  |                           |
177 +-----------+---------+  +---------------+-----------+ 177 +-----------+---------+  +---------------+-----------+
178             |                            |             178             |                            |
179 +-----------+----+ Compute Host ---------|-----------+ 179 +-----------+----+ Compute Host ---------|-----------+
180 |                                    +---+---+       | 180 |                                    +---+---+       |
181 |                               +----+ Relay +---+   | 181 |                               +----+ Relay +---+   |