From 9173fc7f757e173edb447f094aaeaa0400afd075 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Fri, 22 Dec 2017 09:16:28 -0600 Subject: [PATCH] Add domain specific driver support This patch set allows for domain specific driver (ldap and sql) for keystone. Change-Id: Iad8e07fdfdb0e4abc96a7e8100467959ed275dfb --- keystone/templates/bin/_bootstrap.sh.tpl | 4 ++ keystone/templates/bin/_db-sync.sh.tpl | 1 - keystone/templates/configmap-etc.yaml | 4 ++ keystone/templates/job-bootstrap.yaml | 38 ++++++++++++- keystone/values.yaml | 11 +++- .../example/keystone_domain_config.yaml | 54 +++++++++++++++++++ 6 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 tools/overrides/example/keystone_domain_config.yaml diff --git a/keystone/templates/bin/_bootstrap.sh.tpl b/keystone/templates/bin/_bootstrap.sh.tpl index 533c0a5a3f..ba021d4ad1 100644 --- a/keystone/templates/bin/_bootstrap.sh.tpl +++ b/keystone/templates/bin/_bootstrap.sh.tpl @@ -17,4 +17,8 @@ limitations under the License. */}} set -ex +{{- range $k, $v := .Values.conf.ks_domains }} +openstack --debug domain create --or-show {{ $k }} +keystone-manage domain_config_upload --domain-name {{ $k }} || true +{{- end }} {{ .Values.bootstrap.script | default "echo 'Not Enabled'" }} diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl index 7e1372a03e..473d773e72 100644 --- a/keystone/templates/bin/_db-sync.sh.tpl +++ b/keystone/templates/bin/_db-sync.sh.tpl @@ -19,7 +19,6 @@ limitations under the License. set -ex keystone-manage --config-file=/etc/keystone/keystone.conf db_sync - keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \ --bootstrap-username ${OS_USERNAME} \ --bootstrap-password ${OS_PASSWORD} \ diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index 89a1c90862..967ae9c89e 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -49,4 +49,8 @@ data: {{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} sso_callback_template.html: |+ {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }} +{{- range $k, $v := .Values.conf.ks_domains }} + keystone.{{ $k }}.conf: |+ +{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }} +{{- end }} {{- end }} diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index c422143b43..d2e375e7e0 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -43,7 +43,7 @@ spec: {{ tuple $envAll $dependencies $mounts_keystone_bootstrap_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: keystone-bootstrap - image: {{ .Values.images.tags.bootstrap }} + image: {{ .Values.images.tags.keystone_bootstrap }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: @@ -53,16 +53,52 @@ spec: command: - /tmp/bootstrap.sh volumeMounts: + - name: etckeystonedomains + mountPath: {{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }} + - name: etckeystone + mountPath: /etc/keystone - name: keystone-bin mountPath: /tmp/bootstrap.sh subPath: bootstrap.sh readOnly: true + - name: keystone-etc + mountPath: /etc/keystone/keystone.conf + subPath: keystone.conf + readOnly: true +{{- range $k, $v := .Values.conf.ks_domains }} + - name: keystone-etc + mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf + subPath: keystone.{{ $k }}.conf + readOnly: true +{{- end }} +{{- if eq .Values.conf.keystone.token.provider "fernet" }} + - name: keystone-fernet-keys + mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }} +{{- end }} + - name: keystone-credential-keys + mountPath: {{ .Values.conf.keystone.credential.key_repository }} {{ if $mounts_keystone_bootstrap.volumeMounts }}{{ toYaml $mounts_keystone_bootstrap.volumeMounts | indent 12 }}{{ end }} volumes: + - name: etckeystone + emptyDir: {} + - name: etckeystonedomains + emptyDir: {} + - name: keystone-etc + configMap: + name: keystone-etc + defaultMode: 0444 - name: keystone-bin configMap: name: keystone-bin defaultMode: 0555 +{{- if eq .Values.conf.keystone.token.provider "fernet" }} + - name: keystone-fernet-keys + secret: + secretName: keystone-fernet-keys +{{- end }} + - name: keystone-credential-keys + secret: + secretName: keystone-credential-keys {{ if $mounts_keystone_bootstrap.volumes }}{{ toYaml $mounts_keystone_bootstrap.volumes | indent 9 }}{{ end }} {{- end }} {{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 715e27444a..6aea412ba0 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -25,7 +25,7 @@ release_group: null images: tags: - bootstrap: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 + keystone_bootstrap: docker.io/kolla/ubuntu-source-keystone:3.0.3 test: docker.io/kolla/ubuntu-source-rally:4.0.0 db_init: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 keystone_db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3 @@ -262,6 +262,9 @@ conf: max_token_size: 255 token: provider: fernet + identity: + domain_specific_drivers_enabled: True + domain_config_dir: /etc/keystonedomains fernet_tokens: key_repository: /etc/keystone/fernet-keys/ credential: @@ -271,6 +274,12 @@ conf: cache: enabled: true backend: dogpile.cache.memcached + # NOTE(lamt) We can leverage multiple domains with different + # configurations as outlined in + # https://docs.openstack.org/keystone/pike/admin/identity-domain-specific-config.html. + # A sample of the value override can be found in sample file: + # tools/overrides/example/keystone_domain_config.yaml + # ks_domains: paste: filter:debug: use: egg:oslo.middleware#debug diff --git a/tools/overrides/example/keystone_domain_config.yaml b/tools/overrides/example/keystone_domain_config.yaml new file mode 100644 index 0000000000..3672990fbe --- /dev/null +++ b/tools/overrides/example/keystone_domain_config.yaml @@ -0,0 +1,54 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# MVP values for neutron using Linux Bridge. +# This file contains overrides to launch a MVP deployment of neutron using +# Linux Bridge for the OpenStack-Helm gates, and local development use. +# It should be kept to the bare minimum required for this purpose. + +# This example sets the default domain to be LDAP based, and adds in a new +# dbdomain that is SQL-backed. Note that for this to work, you need to set +# an admin (env: OS_USERNAME and OS_PASSWORD) that is valid in the LDAP. +conf: + keystone: + identity: + driver: ldap + default_domain_id: default + domain_specific_drivers_enabled: True + domain_configurations_from_database: True + domain_config_dir: /etc/keystonedomains + ldap: + url: "ldap://ldap.openstack.svc.cluster.local:389" + user: "cn=admin,dc=cluster,dc=local" + password: password + suffix: "dc=cluster,dc=local" + user_attribute_ignore: enabled,email,tenants,default_project_id + query_scope: sub + user_enabled_emulation: True + user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local" + user_tree_dn: "ou=People,dc=cluster,dc=local" + user_enabled_mask: 2 + user_enabled_default: 512 + user_name_attribute: cn + user_id_attribute: sn + user_mail_attribute: mail + user_pass_attribute: userPassword + group_tree_dn: "ou=Groups,dc=cluster,dc=local" + user_allow_create: False + user_allow_delete: False + user_allow_update: False + ks_domains: + dbdomain: + identity: + driver: sql