From 7effde7bee448cae0dba74813ebec6fb8b39ab04 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Thu, 14 Jun 2018 10:12:28 +0000
Subject: [PATCH] Retrieve cloud credentials directly from keystone

In a cells deployment the credentials for the nova-compute
application will no longer be available via the
nova-cloud-controller in the local cell. This change adds the
scaffolding for a cell to utilise a new cloud-credentials relation
to allow it to retrieve credentials directly from keystone.

Change-Id: I9d1a7353d730f7cb8e93cc9eea5b788f7c956c3d
---
 hooks/cloud-credentials-relation-changed |  1 +
 hooks/cloud-credentials-relation-joined  |  1 +
 hooks/nova_compute_hooks.py              | 13 +++++++++++++
 hooks/nova_compute_utils.py              |  4 +++-
 metadata.yaml                            |  2 ++
 templates/ocata/nova.conf                |  2 +-
 templates/pike/nova.conf                 |  2 +-
 unit_tests/test_nova_compute_hooks.py    | 11 +++++++++++
 8 files changed, 33 insertions(+), 3 deletions(-)
 create mode 120000 hooks/cloud-credentials-relation-changed
 create mode 120000 hooks/cloud-credentials-relation-joined

diff --git a/hooks/cloud-credentials-relation-changed b/hooks/cloud-credentials-relation-changed
new file mode 120000
index 00000000..3ba0bdea
--- /dev/null
+++ b/hooks/cloud-credentials-relation-changed
@@ -0,0 +1 @@
+nova_compute_hooks.py
\ No newline at end of file
diff --git a/hooks/cloud-credentials-relation-joined b/hooks/cloud-credentials-relation-joined
new file mode 120000
index 00000000..3ba0bdea
--- /dev/null
+++ b/hooks/cloud-credentials-relation-joined
@@ -0,0 +1 @@
+nova_compute_hooks.py
\ No newline at end of file
diff --git a/hooks/nova_compute_hooks.py b/hooks/nova_compute_hooks.py
index 94be738a..c6e67c9e 100755
--- a/hooks/nova_compute_hooks.py
+++ b/hooks/nova_compute_hooks.py
@@ -30,6 +30,7 @@ from charmhelpers.core.hookenv import (
     Hooks,
     config,
     is_relation_made,
+    local_unit,
     log,
     relation_ids,
     remote_service_name,
@@ -561,6 +562,18 @@ def storage_changed():
     configure_local_ephemeral_storage()
 
 
+@hooks.hook('cloud-credentials-relation-joined')
+def cloud_credentials_joined():
+    svc_name = local_unit().split('/')[0].replace('-', '_')
+    relation_set(username=svc_name)
+
+
+@hooks.hook('cloud-credentials-relation-changed')
+@restart_on_change(restart_map())
+def cloud_credentials_changed():
+    CONFIGS.write(NOVA_CONF)
+
+
 @hooks.hook('update-status')
 @harden()
 def update_status():
diff --git a/hooks/nova_compute_utils.py b/hooks/nova_compute_utils.py
index 749a4941..67330702 100644
--- a/hooks/nova_compute_utils.py
+++ b/hooks/nova_compute_utils.py
@@ -175,7 +175,9 @@ BASE_RESOURCE_MAP = {
                      NovaComputeAvailabilityZoneContext(),
                      context.WorkerConfigContext(),
                      vaultlocker.VaultKVContext(
-                         vaultlocker.VAULTLOCKER_BACKEND)],
+                         vaultlocker.VAULTLOCKER_BACKEND),
+                     context.IdentityCredentialsContext(
+                         rel_name='cloud-credentials')],
     },
     NOVA_API_AA_PROFILE_PATH: {
         'services': ['nova-api'],
diff --git a/metadata.yaml b/metadata.yaml
index b759a7d2..45403fd3 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -46,6 +46,8 @@ requires:
     scope: container
   ceph-access:
     interface: cinder-ceph-key
+  cloud-credentials:
+    interface: keystone-credentials
   secrets-storage:
     interface: vault-kv
 peers:
diff --git a/templates/ocata/nova.conf b/templates/ocata/nova.conf
index aebe4a43..5d98d8c7 100644
--- a/templates/ocata/nova.conf
+++ b/templates/ocata/nova.conf
@@ -138,7 +138,7 @@ resume_guests_state_on_host_boot = {{ resume_guests_state_on_host_boot }}
 {% if network_manager == 'neutron' and network_manager_config -%}
 [neutron]
 url = {{ network_manager_config.neutron_url }}
-{% if network_manager_config.keystone_host -%}
+{% if network_manager_config.keystone_host or auth_host -%}
 {% if neutron_plugin and neutron_plugin == 'vsp' -%}
 ovs_bridge = alubr0
 {% endif -%}
diff --git a/templates/pike/nova.conf b/templates/pike/nova.conf
index 140947ac..067728f1 100644
--- a/templates/pike/nova.conf
+++ b/templates/pike/nova.conf
@@ -141,7 +141,7 @@ alias = {{ pci_alias }}
 {% if network_manager == 'neutron' and network_manager_config -%}
 [neutron]
 url = {{ network_manager_config.neutron_url }}
-{% if network_manager_config.keystone_host -%}
+{% if network_manager_config.keystone_host or auth_host -%}
 {% if neutron_plugin and neutron_plugin == 'vsp' -%}
 ovs_bridge = alubr0
 {% endif -%}
diff --git a/unit_tests/test_nova_compute_hooks.py b/unit_tests/test_nova_compute_hooks.py
index c8ab8ff1..ab652a18 100644
--- a/unit_tests/test_nova_compute_hooks.py
+++ b/unit_tests/test_nova_compute_hooks.py
@@ -38,6 +38,7 @@ TO_PATCH = [
     # charmhelpers.core.hookenv
     'Hooks',
     'config',
+    'local_unit',
     'log',
     'is_relation_made',
     'relation_get',
@@ -729,3 +730,13 @@ class NovaComputeRelationsTests(CharmTestCase):
         self.relation_get.return_value = None
         hooks.secrets_storage_changed()
         self.configure_local_ephemeral_storage.assert_called_once_with()
+
+    def test_cloud_credentials_joined(self):
+        self.local_unit.return_value = 'nova-compute-cell1/2'
+        hooks.cloud_credentials_joined()
+        self.relation_set.assert_called_with(username='nova_compute_cell1')
+
+    @patch.object(hooks, 'CONFIGS')
+    def test_cloud_credentials_changed(self, mock_CONFIGS):
+        hooks.cloud_credentials_changed()
+        mock_CONFIGS.write.assert_called_with('/etc/nova/nova.conf')