With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.
The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.
NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.
Task: 30069
Story: 1755770
Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
Adding the client enables the manipulation of Octavia
resources with Magnum such as during cluster deletion,
being able to clean up non-heat created resouces.
Change-Id: I976ab136e24b98d447d61028ce07d0f5dd9d255a
story: 2004259
task: 27795
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
1) It checks that person who wants to trace is trusted and knows
secret HMAC key.
2) It starts tracing in case of proper trace headers
and adds first wsgi trace point, with info about HTTP request
* Add initialization of osprofiler at start of service
Currently that includes oslo.messaging notifer instance creation
to send Ceilometer backend notifications.
* Traces HTTP/RPC/DB API calls
Demo: https://hieulq.github.io/cluster-create-false-new-html.html
Co-Authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
Adding config option to limit the max number of clusters
allowed per project. This limit is ignored if there is
an explicit hard limit set for a project in the 'quotas'
table.
Change-Id: I8a904de156c10c210e9e72999cdcbc28e374ea71
Partially-Implements: blueprint resource-quota
Centralize config option of Paths section.
Replace oslo_conf cfg to magnum.conf.
Modify test_conf test case for covering DEFAULT section
Change-Id: I45775016cdfd7e762c9faa5aa18fc020a07c8134
Implements: blueprint centralize-config-magnum
Initialize magnum centralize config folder and test cases.
Change-Id: Ib68e54701e127546fbaa91e3633f50d149a5b878
Implements: blueprint centralize-config-magnum
Feilong Wang