- Drop bay and baymodel tests
- Drop bay and baymodel from controllers
Depends-On: Ib85e4fda8e4ac467bd49590dc72ba5913bb9a19d
Story: 2009104
Task: 42957
Task: 42959
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
Change-Id: Ida2e42c86400438951d9804e3ce122c56a46b94f
Now k8s cluster owner can do CA cert rotate to re-generate CA of
the cluster, service account keys and the certs of all nodes will
be regenerated as well. Cluster user needs to get a new kubeconfig
to access kubernetes API. This function is only supported by
Fedora CoreOS driver.
To test this patch with python-magnumclient, you need this patch
https://review.opendev.org/#/c/724243/, otherwise, you will see
an error about "not enough values to unpack", though the CA cert
rotate request has been processed by Magnum server side correctly.
Task: 39580
Story: 2005201
Change-Id: I4ae12f928e4f49b99732fba097371692cb35d9ee
Magnum API previously passed magnum.objects.cluster.Cluster objects as
the target argument to magnum.common.policy.enforce(). However, enforce()
expects target to be a mutable mapping, as it adds an entry for
trustee_domain_id which is used by the magnum policy.json. This causes
cluster detailed GET requests to fail with the following message:
AttributeError: 'Cluster' object has no attribute 'trustee_domain_id'
This change uses the as_dict() method of the magnum RPC objects to
provide a mutable mapping to the policy enforcer.
Change-Id: I54b136243afff9e0fadae3be4b36cad1679e5721
Closes-Bug: #1689797
Enforcing microversion 1.5 for the certificates PATCH endpoint
(rotating a CA cert) was not necessary because it is a new endpoint
and not a change to an existing endpoint. The absence of an
implementation for prior microversions of this endpoint was causing
unexpected behavior.
Change-Id: I33240d6b325843972a6f05d1c93c94b82752d32f
Partial-Bug: #1659431
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.
Bumped the API microversion to 1.5 for the new endpoint.
Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.
Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
This is patch #2 of 3 to rename the term bay to cluster within
the internal references and objects of magnum. This patch changes
all references to the certificate objects bay_uuid field to
cluster_uuid. Certifcate does not have a db table so no db
changes were made. No functionality is changed by this patch,
just internal naming.
Change-Id: I68a3b87b75b49de43a7855355807b50a4ae695f3
Implements: blueprint rename-bay-to-cluster
This patch will update the certificate api to use the term Cluster
instead of Bay. Bay will still be supported, but will be deprecated
and removed in a future release.
Change-Id: Ie169162a743320813e636597240941b5dd59ded3
Implements: blueprint rename-bay-to-cluster
This is the first of several patches to add new Cluster commands
that will replace the Bay terminalogy in Magnum. This patch adds
the new Cluster and ClusterTemplate commands in addition to the
Bay and Baymodel commands. Additional patches will be created
for client, docs, and additional functional tests.
Change-Id: Ie686281a6f98a1a9931158d2a79eee6ac21ed9a1
Implements: blueprint rename-bay-to-cluster
Adds the functionality to allow versioning of api methods
based by adding a decorator api_version("min_version",
"max_version"). This is similar to how nova implemented api
versioning but updated to work with pecan.
Change-Id: Ie18d92531487f7c107b5132b3d35f38bd0a37aa0
Implements: blueprint api-versioning
When an exception was caught and rethrown, it should call 'raise'
without any arguments because it shows the place where an exception
occured initially instead of place where the exception re-raised.
Change-Id: If180215bda5592c0cba92cb2c9b3a61c13d62ccf
Only the user who creates the bay can get the certificate and call
the certificate signing request of the bay and create containers
in the bay, which is needed by [1].
[1] https://github.com/openstack/magnum/blob/master/specs/
create-trustee-user-for-each-bay.rst
Change-Id: Id959b76cb136ffbb0e6bcb8c3b83e02b30de66cf
Closes-Bug: #1536883
Partially-Implements: blueprint create-trustee-user-for-each-bay
Rename get_rpc_resource to get_resource. Because there is no rpc
call in this method.
Change-Id: I4dfba86b9932c9def08959f7fb1df98b7bc41436
Closes-Bug: #1549650
In API controller, "@expose.expose" should be on top of
"@policy.enforce_wsgi". Otherwise, the output won't have the correct
format and status code. That is because "@expose.expose" will format
the exception before sending the response.
In "enforce_wsgi", use decorator module instead of "functools.wraps".
That is because decorator is signature preserving, which is
necessary for other decorator to work.
Also, added unit tests to ensure the correct error message and status
code will return if the request cannot pass the policy check.
Change-Id: I8b77ba95124c13dd1a46700bc60105bc7e33a579
Related-Bug: #1520311
We can not import magnum.api.validation because of circle reference.
We can reproduce this bug by "tox -egenconfig" or importing
magnum.api.validation in a python console.
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "magnum/api/validation.py", line 20, in <module>
from magnum.api.controllers.v1 import utils as api_utils
File "magnum/api/controllers/v1/__init__.py", line 30, in <module>
from magnum.api.controllers.v1 import baymodel
File "magnum/api/controllers/v1/baymodel.py", line 29, in <module>
from magnum.api import validation
ImportError: cannot import name validation
Change-Id: Ib73d7f1d989b9bc860bfadafa52e9a83996f5de9
Closes-Bug: #1521840
Developer should use timeutils.utcnow to replace the
datetime.datetime.utcnow.
Change-Id: Ifaca72e286a805632cd17406464175ba6819a9b0
Closes-Bug: #1513308
The Certificate controller has 2 operations:
1. POST
Generate X509 certificate using bay's CA cert.
Below is an example of Certificate POST API request using magnum command:
Example Request:
curl -X POST -H 'Content-Type: application/json' \
-d '{"bay_uuid": "<bay_uuid>", "csr": "<csr>"}' \
http://localhost:9511/v1/certificates
This creates a X509 certificate signed by the given bay's CA and returns
it. No database information is stored in Magnum against it. For each POST
request, a new certificate is generated.
Example Response:
{"bay_uuid": "<bay_uuid>", "csr": "<csr>",
"pem": "<pem encoded certifiacte>"}
2. GET
Fetches the CA cert associated with a bay. Below is an example of CA GET
API request using magnum command:
Example Request:
curl -X GET http://localhost:9511/v1/certificates/<bay_uuid>
This fetches stored CA cert for the given Bay, which can be used to validate
any client and node certificates signed by the Bay's CA. The value for each
is fetched from Barbican or Magnum db based on the different configuration
for storage of certificates.
Example Response:
{"bay_uuid": "<bay_uuid>", "pem": "<pem encoded certifiacte>"}
Co-Authored-By: Andrew Melton <andrew.melton@rackspace.com>
Change-Id: I4b72cc1e1bddc7a7c7eeb0ab22d3769a666ccb2b
Partially-Implements: bp secure-kubernetes
Diogo Guerra