From 12a3cc01ca556ce77a4556fc4d691061f509feba Mon Sep 17 00:00:00 2001
From: Kevin Lefevre <kevin.lefevre@osones.io>
Date: Mon, 10 Apr 2017 16:36:21 +0200
Subject: [PATCH] Enable custom keystone endpoint_type in templates

Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.

A new variable in trust section: trustee_keystone_interface which
default to public is introduced.

Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
---
 devstack/lib/magnum                                         | 1 +
 .../source/common/configure_2_edit_magnum_conf.rst          | 6 ++++++
 magnum/conf/trust.py                                        | 5 ++++-
 .../templates/kubernetes/fragments/make-cert-client.sh      | 2 --
 .../common/templates/kubernetes/fragments/make-cert.sh      | 2 --
 .../drivers/common/templates/swarm/fragments/make-cert.py   | 2 +-
 magnum/drivers/heat/template_def.py                         | 5 ++++-
 .../k8s_coreos_v1/templates/fragments/make-cert-client.yaml | 2 --
 .../k8s_coreos_v1/templates/fragments/make-cert.yaml        | 2 --
 .../unit/conductor/handlers/test_k8s_cluster_conductor.py   | 2 +-
 .../unit/conductor/handlers/test_mesos_cluster_conductor.py | 2 +-
 .../unit/conductor/handlers/test_swarm_cluster_conductor.py | 2 +-
 .../notes/keystone_trustee_interface-6d63b74616dda1d4.yaml  | 5 +++++
 13 files changed, 24 insertions(+), 14 deletions(-)
 create mode 100644 releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml

diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index 5f04c454e4..0a2c698d78 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -208,6 +208,7 @@ function create_magnum_conf {
     iniset $MAGNUM_CONF trust trustee_domain_name magnum
     iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
     iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
+    iniset $MAGNUM_CONF trust trustee_keystone_interface public
     iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
 
     if is_service_enabled swift; then
diff --git a/install-guide/source/common/configure_2_edit_magnum_conf.rst b/install-guide/source/common/configure_2_edit_magnum_conf.rst
index 0e035bb3bf..a3b6544a32 100644
--- a/install-guide/source/common/configure_2_edit_magnum_conf.rst
+++ b/install-guide/source/common/configure_2_edit_magnum_conf.rst
@@ -76,11 +76,17 @@
         trustee_domain_name = magnum
         trustee_domain_admin_name = magnum_domain_admin
         trustee_domain_admin_password = DOMAIN_ADMIN_PASS
+        trustee_keystone_interface = KEYSTONE_INTERFACE
 
      Replace MAGNUM_PASS with the password you chose for the magnum user in the
      Identity service and DOMAIN_ADMIN_PASS with the password you chose for the
      ``magnum_domain_admin`` user.
 
+     Replace KEYSTONE_INTERFACE with either ``public`` or ``internal``
+     depending on your network configuration. If your instances cannot reach
+     internal keystone endpoint which is often the case in production
+     environments it should be set to ``public``. Default to ``public``
+
    * In the ``[oslo_messaging_notifications]`` section, configure the
      ``driver``:
 
diff --git a/magnum/conf/trust.py b/magnum/conf/trust.py
index ffa25e87d2..eb5c826e8b 100644
--- a/magnum/conf/trust.py
+++ b/magnum/conf/trust.py
@@ -50,7 +50,10 @@ trust_opts = [
     cfg.ListOpt('roles',
                 default=[],
                 help=_('The roles which are delegated to the trustee '
-                       'by the trustor'))
+                       'by the trustor')),
+    cfg.StrOpt('trustee_keystone_interface',
+               default='public',
+               help=_('Auth interface used by instances/trustee'))
 ]
 
 
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
index 97d9bf47fc..414a3bcfd3 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@@ -55,8 +55,6 @@ auth_json=$(cat << EOF
 EOF
 )
 
-#trust is introduced in Keystone v3 version
-AUTH_URL=${AUTH_URL/v2.0/v3}
 content_type='Content-Type: application/json'
 url="$AUTH_URL/auth/tokens"
 USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index 4eaad6283e..452f98428e 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -77,8 +77,6 @@ auth_json=$(cat << EOF
 EOF
 )
 
-#trust is introduced in Keystone v3 version
-AUTH_URL=${AUTH_URL/v2.0/v3}
 content_type='Content-Type: application/json'
 url="$AUTH_URL/auth/tokens"
 USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
diff --git a/magnum/drivers/common/templates/swarm/fragments/make-cert.py b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
index 896beacc84..844b035fab 100644
--- a/magnum/drivers/common/templates/swarm/fragments/make-cert.py
+++ b/magnum/drivers/common/templates/swarm/fragments/make-cert.py
@@ -160,7 +160,7 @@ def get_user_token(config):
     }
     creds = creds_str % params
     headers = {'Content-Type': 'application/json'}
-    url = config['AUTH_URL'].replace('v2.0', 'v3') + '/auth/tokens'
+    url = config['AUTH_URL'] + '/auth/tokens'
     r = requests.post(url, headers=headers, data=creds)
     config['USER_TOKEN'] = r.headers['X-Subject-Token']
     return config
diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py
index 4a3b7e01ef..6f39dee664 100644
--- a/magnum/drivers/heat/template_def.py
+++ b/magnum/drivers/heat/template_def.py
@@ -252,7 +252,10 @@ class BaseTemplateDefinition(TemplateDefinition):
         else:
             extra_params['trust_id'] = ""
 
-        extra_params['auth_url'] = context.auth_url
+        extra_params['auth_url'] = osc.url_for(
+            service_type='identity',
+            interface=CONF.trust.trustee_keystone_interface,
+            version=3)
 
         return super(BaseTemplateDefinition,
                      self).get_params(context, cluster_template, cluster,
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
index da290e536f..ed0121c838 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
@@ -68,8 +68,6 @@ write_files:
       }
       EOF
 
-      #trust is introduced in Keystone v3 version
-      AUTH_URL=${AUTH_URL/v2.0/v3}
       USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
                        $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
 
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index cc9196dbcb..bebc7cc26a 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -91,8 +91,6 @@ write_files:
       }
       EOF
 
-      #trust is introduced in Keystone v3 version
-      AUTH_URL=${AUTH_URL/v2.0/v3}
       USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
                        $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
 
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 074539b69c..d15deaa7c8 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -79,13 +79,13 @@ class TestClusterConductorWithK8s(base.TestCase):
             'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
             'coe_version': 'fake-version',
         }
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
         self.context.user_name = 'fake_user'
         self.context.tenant = 'fake_tenant'
         osc_patcher = mock.patch('magnum.common.clients.OpenStackClients')
         self.mock_osc_class = osc_patcher.start()
         self.addCleanup(osc_patcher.stop)
         self.mock_osc = mock.MagicMock()
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
         self.mock_osc.cinder_region_name.return_value = 'RegionOne'
         self.mock_keystone = mock.MagicMock()
diff --git a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
index c21f3b613f..2939acfd1c 100644
--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py
@@ -67,7 +67,6 @@ class TestClusterConductorWithMesos(base.TestCase):
             'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
             'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
         }
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
         self.context.user_name = 'mesos_user'
         self.context.tenant = 'admin'
         self.context.domain_name = 'domainname'
@@ -80,6 +79,7 @@ class TestClusterConductorWithMesos(base.TestCase):
         self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
         self.mock_osc.keystone.return_value = self.mock_keystone
         self.mock_osc_class.return_value = self.mock_osc
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
 
     @patch('magnum.objects.ClusterTemplate.get_by_uuid')
     @patch('magnum.drivers.common.driver.Driver.get_driver')
diff --git a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
index b61cc65530..e0085f1926 100644
--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py
@@ -85,11 +85,11 @@ class TestClusterConductorWithSwarm(base.TestCase):
         self.addCleanup(osc_patcher.stop)
         self.mock_osc = mock.MagicMock()
         self.mock_osc.magnum_url.return_value = 'http://127.0.0.1:9511/v1'
+        self.mock_osc.url_for.return_value = 'http://192.168.10.10:5000/v3'
         self.mock_keystone = mock.MagicMock()
         self.mock_keystone.trustee_domain_id = 'trustee_domain_id'
         self.mock_osc.keystone.return_value = self.mock_keystone
         self.mock_osc_class.return_value = self.mock_osc
-        self.context.auth_url = 'http://192.168.10.10:5000/v3'
 
     @patch('requests.get')
     @patch('magnum.objects.ClusterTemplate.get_by_uuid')
diff --git a/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml b/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml
new file mode 100644
index 0000000000..65db0ca34f
--- /dev/null
+++ b/releasenotes/notes/keystone_trustee_interface-6d63b74616dda1d4.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Keystone URL used by Cluster Templates instances to authenticate is now
+    configurable with the ``trustee_keystone_interface`` parameter
+    which default to ``public``.