From 81b84804cca78d239442da4ca79273cde542572f Mon Sep 17 00:00:00 2001 From: Feilong Wang Date: Thu, 6 Dec 2018 10:59:04 +1300 Subject: [PATCH] Keystone auth support Add Keystone auth support for generated kubeconfig Task: 28296 Story: 1755770 Change-Id: I743fe75f39477ba336636607fd9bc2e542342ca0 --- magnumclient/common/utils.py | 88 +++++++++++++++++++++++---------- magnumclient/osc/v1/clusters.py | 26 ++++++++-- 2 files changed, 82 insertions(+), 32 deletions(-) diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py index 99676da7..52219c98 100644 --- a/magnumclient/common/utils.py +++ b/magnumclient/common/utils.py @@ -160,11 +160,11 @@ def handle_json_from_file(json_arg): def config_cluster(cluster, cluster_template, cfg_dir, force=False, - certs=None): + certs=None, use_keystone=False): """Return and write configuration for the given cluster.""" if cluster_template.coe == 'kubernetes': return _config_cluster_kubernetes(cluster, cluster_template, cfg_dir, - force, certs) + force, certs, use_keystone) elif (cluster_template.coe == 'swarm' or cluster_template.coe == 'swarm-mode'): return _config_cluster_swarm(cluster, cluster_template, cfg_dir, @@ -172,7 +172,7 @@ def config_cluster(cluster, cluster_template, cfg_dir, force=False, def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir, - force=False, certs=None): + force=False, certs=None, use_keystone=False): """Return and write configuration for the given kubernetes cluster.""" cfg_file = "%s/config" % cfg_dir if cluster_template.tls_disabled or certs is None: @@ -193,30 +193,64 @@ def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir, "- name: %(name)s'\n" % {'name': cluster.name, 'api_address': cluster.api_address}) else: - cfg = ("apiVersion: v1\n" - "clusters:\n" - "- cluster:\n" - " certificate-authority-data: %(ca)s\n" - " server: %(api_address)s\n" - " name: %(name)s\n" - "contexts:\n" - "- context:\n" - " cluster: %(name)s\n" - " user: admin\n" - " name: default\n" - "current-context: default\n" - "kind: Config\n" - "preferences: {}\n" - "users:\n" - "- name: admin\n" - " user:\n" - " client-certificate-data: %(cert)s\n" - " client-key-data: %(key)s\n" - % {'name': cluster.name, - 'api_address': cluster.api_address, - 'key': base64.b64encode(certs['key']), - 'cert': base64.b64encode(certs['cert']), - 'ca': base64.b64encode(certs['ca'])}) + if not use_keystone: + cfg = ("apiVersion: v1\n" + "clusters:\n" + "- cluster:\n" + " certificate-authority-data: %(ca)s\n" + " server: %(api_address)s\n" + " name: %(name)s\n" + "contexts:\n" + "- context:\n" + " cluster: %(name)s\n" + " user: admin\n" + " name: default\n" + "current-context: default\n" + "kind: Config\n" + "preferences: {}\n" + "users:\n" + "- name: admin\n" + " user:\n" + " client-certificate-data: %(cert)s\n" + " client-key-data: %(key)s\n" + % {'name': cluster.name, + 'api_address': cluster.api_address, + 'key': base64.b64encode(certs['key']), + 'cert': base64.b64encode(certs['cert']), + 'ca': base64.b64encode(certs['ca'])}) + else: + cfg = ("apiVersion: v1\n" + "clusters:\n" + "- cluster:\n" + " certificate-authority-data: %(ca)s\n" + " server: %(api_address)s\n" + " name: %(name)s\n" + "contexts:\n" + "- context:\n" + " cluster: %(name)s\n" + " user: openstackuser\n" + " name: openstackuser@kubernetes\n" + "current-context: openstackuser@kubernetes\n" + "kind: Config\n" + "preferences: {}\n" + "users:\n" + "- name: openstackuser\n" + " user:\n" + " exec:\n" + " command: /bin/bash\n" + " apiVersion: client.authentication.k8s.io/v1alpha1\n" + " args:\n" + " - -c\n" + " - >\n" + " if [ -z ${OS_TOKEN} ]; then\n" + " echo 'Error: Missing OpenStack credential from environment variable $OS_TOKEN' > /dev/stderr\n" # noqa + " exit 1\n" + " else\n" + " echo '{ \"apiVersion\": \"client.authentication.k8s.io/v1alpha1\", \"kind\": \"ExecCredential\", \"status\": { \"token\": \"'\"${OS_TOKEN}\"'\"}}'\n" # noqa + " fi\n" + % {'name': cluster.name, + 'api_address': cluster.api_address, + 'ca': base64.b64encode(certs['ca'])}) if os.path.exists(cfg_file) and not force: raise exc.CommandError("File %s exists, aborting." % cfg_file) diff --git a/magnumclient/osc/v1/clusters.py b/magnumclient/osc/v1/clusters.py index ac1419ae..d2829fa2 100644 --- a/magnumclient/osc/v1/clusters.py +++ b/magnumclient/osc/v1/clusters.py @@ -305,6 +305,18 @@ class ConfigCluster(command.Command): dest='output_certs', default=False, help=_('Output certificates in separate files.')) + parser.add_argument( + '--use-certificate', + action='store_true', + dest='use_certificate', + default=True, + help=_('Use certificate in config files.')) + parser.add_argument( + '--use-keystone', + action='store_true', + dest='use_keystone', + default=False, + help=_('Use Keystone token in config files.')) return parser @@ -315,6 +327,11 @@ class ConfigCluster(command.Command): the corresponding COE configured to access the cluster. """ + if parsed_args.use_keystone: + parsed_args.use_certificate = False + if not parsed_args.use_certificate: + parsed_args.use_keystone = True + self.log.debug("take_action(%s)", parsed_args) mag_client = self.app.client_manager.container_infra @@ -346,8 +363,7 @@ class ConfigCluster(command.Command): with open(fname, "w") as f: f.write(tls[k]) - print(magnum_utils.config_cluster(cluster, - cluster_template, - parsed_args.dir, - force=parsed_args.force, - certs=tls)) + print(magnum_utils.config_cluster( + cluster, cluster_template, parsed_args.dir, + force=parsed_args.force, certs=tls, + use_keystone=parsed_args.use_keystone))