Commit Graph

117 Commits

Author SHA1 Message Date
Takashi Kajinami 32d1890812 Fix missing oslo.versionedobjects library option
This ensures the options for oslo.versionedobjects library are
included in the file generated by oslo-config-generator.

Change-Id: Ie1b28295317a2e5c5fc32b400a777e5e29c55a71
2023-09-19 04:46:37 +00:00
Takashi Kajinami ce217a287c Deploy healthcheck middleware as app instead of filter
Using the healthcheck middleware as a filter is deprecated and
the middleware should be used as an application[1].
 [1] 6feaa13610c450c8486f969703768db5319b4846

This change updates definition and usage of the healthcheck middleware
accordingly to avoid the following deprecation warning.

DeprecationWarning: Using function/method 'Healthcheck.factory()' is
deprecated: The healthcheck middleware must now be configured as
an application, not as a filter.

Change-Id: Ie81140d3b03c315f0a057d2f59754ee14dac539c
2021-08-19 10:21:15 +09:00
Feilong Wang d8df9d0c36 [fedora-atomic][k8s] Support default Keystone auth policy file
With the new config option `keystone_auth_default_policy`, cloud admin
can set a default keystone auth policy for k8s cluster when the
keystone auth is enabled. As a result, user can use their current
keystone user to access k8s cluster as long as they're assigned
correct roles, and they will get the pre-defined permissions
set by the cloud provider.

The default policy now is based on the v2 format recently introduced
in k8s-keystone-auth which is getting more useful now. For example,
in v1 it doesn't support a policy for user to access resources from
all namespaces but kube-system, but v2 can do that.

NOTE: Now we're using openstackmagnum dockerhub repo until CPO
team fixing their image release issue.

Task: 30069
Story: 1755770

Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
2019-06-11 11:57:15 +12:00
Hieu LE c77e0c709a Register default magnum service and stat policies in code
This commit uses the existing policy-in-code module to move all
default policies for magnum service and stat into code. This commit
also adds helpful documentation about each API those policies protect,
which will be generated in sample policy files and completely remove
usage of policy.json file.

Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code

Change-Id: I01a8ce964bf8bd569d4aa4e899cbcd9855281835
2017-10-23 02:57:29 +00:00
Hieu LE b7ca578416 Register default certificate policies in code
This commit uses the existing policy-in-code module to move all
default policies for certificates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.

Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code

Change-Id: I1abc75441d7984497739194a273d8bda63f832a0
2017-10-19 01:42:47 +00:00
Hieu LE c14af5c023 Register default quota policies in code
This commit uses the existing policy-in-code module to move all
default policies for quotas into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.

Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code

Change-Id: I2fbd7577545ed08dee10064d321e8c6941324b5d
2017-10-19 01:40:52 +00:00
Hieu LE 38a8fed31a Register default cluster template policies in code
This commit uses the existing policy-in-code module to move all
default policies for cluster templates into code. This commit also adds
helpful documentation about each API those policies protect,
which will be generated in sample policy files.

Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code

Change-Id: I9a8176ea20e3c925441473d1d84db3a73edca7a5
2017-10-19 01:40:39 +00:00
Hieu LE 0d36f8b8bd Register default cluster policies in code
This commit uses the existing policy-in-code module to move all
default policies for clusters into code. This commit also adds
helpful documetation about each API those policies protect,
which will be generated in sample policy files.

Change-Id: I36e69fe930505c2777f4376be1f6ddf17016998f
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
2017-10-19 01:40:27 +00:00
Hieu LE 1cbb1d451c Register default baymodel policies in code
This commit uses the existing policy-in-code module to move all
default policies for baymodels into code. This commit also adds
helpful documetation about each API those policies protect, which
will be generated in sample policy files.

Change-Id: Ia4409ff712d0e64985d9565e11671b33c8ac9ddf
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
2017-10-19 01:40:11 +00:00
Hieu LE ac0756e60f Register default bay policies in code
This commit uses the existing policy-in-code module to move all
default policies for bays into code. This commit also adds helpful
documetation about each API those policies protect, which will be
generated in sample policy files.

Change-Id: I4221ed56146ed952781f5f38bc4344d8a0d07881
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
2017-10-19 01:40:03 +00:00
Hieu LE e06004d9f5 Implement basic policy module in code
This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.

This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
2017-10-19 08:33:58 +07:00
Ricardo Rocha 12052b1253 Set clustertemplate:publish to admin only
Set the clustertemplate:publish policy to be admin only by default -
currently it is admin_or_user, which means any openstack user can create
a public cluster template.

Update tests for bay model and cluster template, splitting tests
requiring admin credentials into a separate class.

Change-Id: I0bfb57c569863f1ecf7d697cd5ac161a9a710432
Closes-Bug: #1687887
2017-05-04 12:16:47 +00:00
Johannes Grassler e93d82e8b3 Fix CVE-2016-7404
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:

* Permissions for /etc/sysconfig/heat-params inside Magnum
  created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
  for a Keystone trust.
* The cluster's Keystone trust id is only passed into
  instances for clusters where that is actually needed. This
  prevents the trustee user from consuming the trust in cases
  where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
  default) is introduced. It needs to be explicitely enabled
  by the cloud operator to allow clusters that need the
  trust_id to be passed into instances to work. Without this
  setting, attempts to create such clusters will fail.

Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.

Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
2017-02-09 16:44:27 +01:00
Jenkins 1a2a72f787 Merge "Resource Quota - Adding quota API" 2017-01-25 21:22:24 +00:00
Jenkins 4e1ada7914 Merge "Integrate OSProfiler in Magnum" 2017-01-25 06:47:12 +00:00
Jason Dunsmore a65ef7d3c3 Add an API to rotate a cluster CA certificate
This will give admins a way to revoke access to an existing cluster
once a user has been granted access.

Bumped the API microversion to 1.5 for the new endpoint.

Deprecated policy certificate:get in favor of certificate:get_ca for
clarity and consistency.

Depends-On: Ie960464e45445e195e75b91e8d65a4046eb21e93
Implements: blueprint revoke-cluster-cert
Change-Id: Ief28bef3a79f212acf4166e443a96e5419fbb757
2017-01-23 21:26:05 -06:00
Tovin Seven 32d088b2c1 Integrate OSProfiler in Magnum
* Add osprofiler wsgi middleware. This middleware is used for 2 things:
  1) It checks that person who wants to trace is trusted and knows
     secret HMAC key.
  2) It starts tracing in case of proper trace headers
     and adds first wsgi trace point, with info about HTTP request

* Add initialization of osprofiler at start of service
  Currently that includes oslo.messaging notifer instance creation
  to send Ceilometer backend notifications.

* Traces HTTP/RPC/DB API calls

Demo: https://hieulq.github.io/cluster-create-false-new-html.html

Co-Authored-By: Hieu LE <hieulq@vn.fujitsu.com>
Implements: blueprint osprofiler-support-in-magnum
Change-Id: I7d68995aab81d365433950aada078ef1fcd5469b
2017-01-24 07:43:31 +07:00
Vijendar Komalla aa56874bfb Resource Quota - Adding quota API
Change-Id: I7d2da1f86edae002531a529c4ffb469ce9f1777b
Partially-Implements: blueprint resource-quota
2017-01-23 11:00:11 -06:00
Jenkins 942fa495b6 Merge "Magnum stats API" 2017-01-19 07:24:33 +00:00
Vijendar Komalla 51e833137b Magnum stats API
This change introduces a new /stats REST endpoint that
provide the following basic information;
1) Total number of clusters and nodes for the given tenant.
2) Total number of clusters and nodes across all the tenants.
Follow-up patches include more stats.

Change-Id: Iac0bf9343549de31654545d5b1fd7601e56142a7
Partially Implements blueprint magnum-stats-api
2017-01-17 09:48:54 -06:00
Tovin Seven 143687974d Remove extra spaces
Remove extra spaces in ini files

Change-Id: I81b3a98687ff87a0a447c25a479a2ec74c7489c1
2017-01-17 10:21:28 +07:00
Jenkins 4e5e151699 Merge "Add http_proxy_to_wsgi to api-paste" 2016-11-03 10:40:35 +00:00
Deepak 67121813d5 Add http_proxy_to_wsgi to api-paste
This sets up the HTTPProxyToWSGI middleware in front of magnum. The
purpose of thise middleware is to set up the request URL correctly in
case there is a proxy.

Closes-Bug: #1590608
Change-Id: I3f22716575af96aea884bd481c023d394a0b00a5
2016-10-26 10:59:56 +00:00
Hieu LE 08a48895c4 Centralize config option: docker_registry section
Centralize config option of docker_registry section.
Replace oslo_conf cfg to magnum.conf.

Change-Id: I43d3ce068bb6638f71ea14577f34c1df3d7c9d8c
Implements: blueprint centralize-config-magnum
2016-10-11 11:05:40 +07:00
Feng Shengqin cb27427cb2 Remove rc from policy.json
k8s APIs rcs have been removed.
With this patch the code about rc are removed.


Change-Id: I87d26eedd8fee622405368965c38a608fd07c62a
2016-10-08 09:42:41 +00:00
Hieu LE 1ab3eabd4f Init magnum centralize config
Initialize magnum centralize config folder and test cases.

Change-Id: Ib68e54701e127546fbaa91e3633f50d149a5b878
Implements: blueprint centralize-config-magnum
2016-09-20 10:12:33 +07:00
Jaycen Grant eaddb942fd Rename Bay to Cluster in api
This is the first of several patches to add new Cluster commands
that will replace the Bay terminalogy in Magnum. This patch adds
the new Cluster and ClusterTemplate commands in addition to the
Bay and Baymodel commands.  Additional patches will be created
for client, docs, and additional functional tests.

Change-Id: Ie686281a6f98a1a9931158d2a79eee6ac21ed9a1
Implements: blueprint rename-bay-to-cluster
2016-08-17 22:24:45 +00:00
Tom Cammann 40aa6550f1 Remove container object
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.

Remove the container object, drop the db table and remove references to
the container object. The docker_conductor has also been removed as this
was used for managing containers using Magnum objects.

Change-Id: I288fa7a9717519b1ae8195820975676d99b4d6d2
Partially-Implements: blueprint delete-container-endpoint
Co-Authored-By: Spyros Trigazis <strigazi@gmail.com>
2016-08-01 16:16:20 +02:00
Tom Cammann 3e02840628 Remove service object
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.

Remove the service object, drop the db table and remove references to
the service object.

Change-Id: I4f06bb779caa0ad369a2b96b4714e1bf2db8acc6
Partially-Implements: blueprint delete-container-endpoint
2016-06-02 10:46:13 +01:00
Tom Cammann d20e5ef715 Remove pod object
Following on from removing the k8s specific APIs in
I1f6f04a35dfbb39f217487fea104ded035b75569 the objects associated with
these APIs need removal.

Remove the pod object, drop the db table and remove references to the
pod object.

Change-Id: I8c2499ccb97aae39d80868ce02fbef292d762c10
Partially-Implements: blueprint delete-container-endpoint
2016-05-27 11:34:09 +01:00
Niall Bunting 08d41a2de5 Healthcheck Middleware
Use the healthcheck middleware from oslo_middleware. This adds a new
pipeline that depends if /etc/magnum/healthcheck_disable file exists.

The healthcheck middleware is avalible under the /healthcheck URL.

Return values:
200 OK (If the file does not exist)
503 DISABLED BY FILE (If file exists)

Change-Id: I23179d5285831af12de7f392849c490d86a5682e
2016-04-22 12:32:44 +00:00
Michael Krotscheck a5883fd3af Moved CORS middleware configuration into oslo-config-generator
The default values needed for magnum's implementation of cors
middleware have been moved from paste.ini into the configuration
hooks provided by oslo.config. Furthermore, these values have been
added to the default initialization procedure. This ensures
that if a value remains unset in the configuration file, it will
fallback to using sane defaults. It also ensures that an operator
modifying the configuration will be presented with that same
set of defaults.

Change-Id: I7d8f8708d53bbab117600070982ac80482fa0a77
Closes-Bug: 1551836
2016-03-09 13:02:07 -08:00
Jenkins 9bd983c3a7 Merge "Load wsgi app(api) with paste.deploy" 2016-03-09 17:36:46 +00:00
Aaron-DH db378a0ee5 Load wsgi app(api) with paste.deploy
This change replaces the hard coded WSGI app creation with a pipeline
of WSGI apps declared in a configuration file.
Paste Deploy was used to create the pipeline since it is used by many other
OpenStack projects and it is an active project
with new contributors and supports Python 3. Dependency on Paste is
localized so switching to another library would not be hard if OpenStack moves
to another package in the future.

Change-Id: I9a45f974c2c8c67a01748583639e6a6248003b85
Closes-Bug:#1551134
2016-03-08 09:25:44 +08:00
Hua Wang ce5b55dd31 limit access to certificate and container:create
Only the user who creates the bay can get the certificate and call
the certificate signing request of the bay and create containers
in the bay, which is needed by [1].

[1] https://github.com/openstack/magnum/blob/master/specs/
    create-trustee-user-for-each-bay.rst

Change-Id: Id959b76cb136ffbb0e6bcb8c3b83e02b30de66cf
Closes-Bug: #1536883
Partially-Implements: blueprint create-trustee-user-for-each-bay
2016-03-03 15:01:19 +08:00
Hua Wang 342e83f033 Remove node object from Magnum
The node object represents either a bare metal or virtual machine
node that is provisioned with an OS to run the containers, or
alternatively, run kubernetes. Magnum use Heat to deploy the nodes,
so it is unnecessary to maintain node object in Magnum. Heat can do
the work for us. The code about node object is useless now, so let's
remove it from Magnum.

Closes-Bug: #1540790
Change-Id: If8761b06a364127683099afb4dc51ea551be6f89
2016-02-04 14:02:49 +08:00
wangqun 3020ba4659 Add introduce doc how to generate magnum.conf.sample
Now magnum.conf.sample need to generate by tox -egenconfig
It is convenient to have a help doc in the directory etc/magnum/

Change-Id: Ia18db548e8840bbccc915b58b7a2301043533469
2016-01-29 06:56:03 +00:00
Eli Qiao 022bba9c06 Use magnum-config-generator.conf to generate Magnum config sample file
We hard code configure options in tox.ini to generate Magnum config
sample file, and we keep this config sample file in our repository
before.

It is inconvenient for developer if the add/remove/change some
configuration options cause they need to take care about the
config.sample file.

This patch removes magnum.config.sample instead of letting admin generate it
from magnum-config-generator.conf(picked from tox.ini).

P.S. Make tox.ini cleanup since it is not a good idea we mess up tox.ini
with configuration options.

Closes-Bug: #1538374
Change-Id: I80d019b5c98e0282cd0fe50fd4ad66286287e2cb
2016-01-27 11:28:26 +08:00
houming-wang 92450109b1 "notification_driver" from group "DEFAULT" is deprecated
Option "notification_driver" from group "DEFAULT" is deprecated.
Use option "driver" from group "oslo_messaging_notifications"

Reference link:
[1] https://github.com/openstack/oslo.messaging/blob/master/
    oslo_messaging/notify/notifier.py#L34

Change-Id: I3e211ac315bb582961ad03e2cf06d4409eb20ed3
Closes-Bug: #1535611
2016-01-19 18:09:37 +08:00
houming-wang 8176eb92db Do not use inner class of glanceclient
When initiate glanceclient, we should use 'glanceclient.client.Client'
instead of inner class 'glanceclient.v2.client.Client'

[1] http://docs.openstack.org/developer/python-glanceclient/ref/
    client.html

Change-Id: I65036aaac255264ae598e6166a0fd8ae25ed0e2d
Closes-Bug: #1533550
2016-01-14 20:09:01 +08:00
houming-wang 6748e5260e Do not use inner class of heatclient
When initiate heatclient, we should use 'heatclient.client.Client'
instead of inner class 'heatclient.v1.client.Client'

[1] http://docs.openstack.org/developer/python-heatclient/#python-api

Change-Id: Ifcb4b77d5f848679943acbb7d8924eaf0d11025f
Closes-Bug: #1533540
2016-01-14 19:37:21 +08:00
houming-wang a4fd1a9689 Do not use inner class of novaclient
Currently in Magnum, novaclient is initiated by directly call inner
class of novaclient: novaclient.v2.client.Client. But it's not designed
to be initialized directly. We should use 'novaclient.client.Client'.

Reference links:
[1] http://docs.openstack.org/developer/python-novaclient/api.html#usage
[2] https://launchpad.net/bugs/1493576

Change-Id: I85c37e7934962c9f01a4be1131808222c315ba45
Closes-Bug: #1533510
2016-01-14 19:14:23 +08:00
Hua Wang 8074f6f4ce Create trust_id for bay
All bays use the same trustee_user and different trust. A trust is
created for a bay when the bay is created, and is deleted when the
bay is deleted.

Partially-Implements: blueprint registryv2-in-master
Change-Id: Iab2037677f683fe4c562915b98303da02c59c299
2015-12-15 11:28:23 +08:00
houming-wang 0162588ebd Register neutron client option
1. Register neutron_client_opts
2. Updated config sample to include neutron opts

Change-Id: I97fd1f25dbe7e8d07620ede0ea7b25acadb2e432
Patially-Implements: blueprint api-parameter-validation
2015-12-02 04:43:58 -05:00
Daneyon Hansen de1edaec40 Changes Swarm Bootstrapping from Public to Etcd
Previously, Swarm leveraged Docker's public discovery mechanism
for bootstrapping a cluster. Etcd bootstrapping is supported by
Swarm and is preferred for production use for the following reasons:

1. Required for HA.
2. Is more secure.
3. Required for the Flannel network-driver.

Partially-Implements: blueprint extend-baymodel-net-attributes
Partially-Implements: blueprint conductor-template-net-update

Change-Id: Iab844c03ed7cf8bbee69b72ff71c219f0a5ab1dd
2015-11-19 05:59:03 +00:00
Dane LeBlanc 471aa924fc Add Magnum config for default network driver per COE
Problem description:
Magnum should provide support for configuration of default network drivers per
COE. An example use case could be a cloud operator who would like to have
control of what default container network driver should be used on a per-COE
basis. The cloud operator in this case should be able to set the default
network driver per COE in /etc/magnum/magnum.conf.

Proposed fix:
Add 3 configuration list options to the config in /etc/magnum/magnum.conf:
- kubernetes_default_network_driver
  (default='flannel')
- swarm_default_network_driver
  (default='docker')
- mesos_default_network_driver
  (default='docker')
When a baymodel is created and the --network-driver attribute is not supplied,
then the configured default network driver for the selected COE will first be
checked against the list of allowed network drivers for that COE, and if
allowed, the configured default network driver will be used for the new
baymodel.

Change-Id: I1e1d68c3348f609975b914926994bd79c1ef6d28
Closes-Bug: #1504664
2015-11-13 03:22:08 +00:00
Hua Wang 37b731b510 Rename heat-kubernetes, heat-mesos, docker-swarm
Rename heat-kubernetes to kubernetes, heat-mesos to mesos,
docker-swarm to swarm in templates.  We use heat templates and
no other methods, so I think it is unnecessary to add heat before
coe. kubernetes, mesos, swarm are better than
heat-kubernetes, heat-mesos, docker-swarm.

Change-Id: I257b35c1c4ef55d3172095736f550f2c55c8d81f
Closes-Bug: #1514682
2015-11-11 16:29:33 -05:00
Hongbin Lu be68eb64ce Generate missing baymodel sample configs
Change-Id: I51c398bb6666f90d20a637b501ff4ccdc6420110
Closes-Bug: #1515399
2015-11-11 16:18:05 -05:00
Jenkins 87851bf8d5 Merge "Use oslo_config PortOpt type for port options" 2015-11-08 12:48:44 +00:00
Dane LeBlanc ce0ed4e44d Add support for allowable network drivers configuration
Problem:
With the changes that were merged with https://review.openstack.org/230147, the
choices of container network drivers that can be selected for a given COE type
when creating a Magnum baymodel are hardcoded, and are based on network drivers
that Magnum can support for each COE.

These hard-coded selections will probably make sense in most cases. However, in
some cloud instances, a cloud provider or cloud admin may want to restrict the
choices of network drivers that a user can select for a given COE even further,
based on specific restrictions in the cloud.

Magnum should provide support for configuration of what container network
drivers are allowed, and this needs to be provided on a per-COE basis.

Proposed fix:
Add 3 configuration list options to the config in /etc/magnum/magnum.conf for
configuring allowed nework drivers for kubernetes, swarm and mesos
respectively. The keyword 'all' can be used to allow all network drivers
supported by Magnum for that COE. The new config options are:
- kubernetes_allowed_network_drivers
  (default=['all'])
- swarm_allowed_network_drivers
  (default=['all'])
- mesos_allowed_network_drivers
  (default=['all'])
Validation of the --network-driver attributes for a baymodel create will be
performed against this above configuration on a per-COE basis.

Change-Id: Ibaa21d43fd6b5c1a6acc10e56145280eeaea8534
Closes-Bug: #1504635
2015-11-06 18:25:36 -05:00