Add keystone v3 support

Use shared section template for keystone authotken and update service_credentials section to support Keystone v3 for OpenStack Mitaka or later. Change-Id: Ia7750276e6a6a52dc95a93f1d5cb8d1f544a94d5 Closes-Bug: #1624173
2016-09-28 17:52:59 +08:00 · 2016-09-28 17:52:59 +08:00 · fa77346e98
parent 4ac6fd69cb
commit fa77346e98
20 changed files with 353 additions and 16 deletions
--- a/charm-helpers-hooks.yaml
+++ b/charm-helpers-hooks.yaml
@ -5,7 +5,7 @@ include:
    - osplatform
    - cli
    - fetch
-    - contrib.openstack
+    - contrib.openstack|inc=*
    - contrib.hahelpers
    - contrib.storage.linux
    - contrib.network.ip
--- a/hooks/ceilometer_contexts.py
+++ b/hooks/ceilometer_contexts.py
@ -36,13 +36,19 @@ class CeilometerServiceContext(OSContextGenerator):
        'rabbitmq_user',
        'rabbitmq_password',
        'rabbitmq_virtual_host',
+        'api_version',
        'auth_protocol',
        'auth_host',
        'auth_port',
        'admin_tenant_name',
        'admin_user',
        'admin_password',
-        'metering_secret'
+        'metering_secret',
+        'service_host',
+        'service_protocol',
+        'service_port',
+        'signing_dir',
+        'api_version',
    ]

    optional_keys = [
--- a/hooks/charmhelpers/contrib/openstack/amulet/deployment.py
+++ b/hooks/charmhelpers/contrib/openstack/amulet/deployment.py
@ -156,7 +156,7 @@ class OpenStackAmuletDeployment(AmuletDeployment):
        use_source = list(set(
            use_source + ['mysql', 'mongodb', 'rabbitmq-server', 'ceph',
                          'ceph-osd', 'ceph-radosgw', 'ceph-mon',
-                          'ceph-proxy']))
+                          'ceph-proxy', 'percona-cluster', 'lxd']))

        # Charms which can not use openstack-origin, ie. many subordinates
        no_origin = list(set(
--- a/hooks/charmhelpers/contrib/openstack/amulet/utils.py
+++ b/hooks/charmhelpers/contrib/openstack/amulet/utils.py
@ -306,10 +306,8 @@ class OpenStackAmuletUtils(AmuletUtils):
                                  password, tenant):
        """Authenticates admin user with cinder."""
        # NOTE(beisner): cinder python client doesn't accept tokens.
-        service_ip = \
-            keystone_sentry.relation('shared-db',
-                                     'mysql:shared-db')['private-address']
-        ept = "http://{}:5000/v2.0".format(service_ip.strip().decode('utf-8'))
+        keystone_ip = keystone_sentry.info['public-address']
+        ept = "http://{}:5000/v2.0".format(keystone_ip.strip().decode('utf-8'))
        return cinder_client.Client(username, password, tenant, ept)

    def authenticate_keystone_admin(self, keystone_sentry, user, password,
@ -319,8 +317,8 @@ class OpenStackAmuletUtils(AmuletUtils):
        self.log.debug('Authenticating keystone admin...')
        unit = keystone_sentry
        if not keystone_ip:
-            keystone_ip = unit.relation('shared-db',
-                                        'mysql:shared-db')['private-address']
+            keystone_ip = keystone_sentry.info['public-address']
+
        base_ep = "http://{}:35357".format(keystone_ip.strip().decode('utf-8'))
        if not api_version or api_version == 2:
            ep = base_ep + "/v2.0"
--- a/hooks/charmhelpers/contrib/openstack/files/check_haproxy.sh
+++ b/hooks/charmhelpers/contrib/openstack/files/check_haproxy.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+#--------------------------------------------
+# This file is managed by Juju
+#--------------------------------------------
+#
+# Copyright 2009,2012 Canonical Ltd.
+# Author: Tom Haddon
+
+CRITICAL=0
+NOTACTIVE=''
+LOGFILE=/var/log/nagios/check_haproxy.log
+AUTH=$(grep -r "stats auth" /etc/haproxy | awk 'NR=1{print $4}')
+
+typeset -i N_INSTANCES=0
+for appserver in $(awk '/^\s+server/{print $2}' /etc/haproxy/haproxy.cfg)
+do
+    N_INSTANCES=N_INSTANCES+1
+    output=$(/usr/lib/nagios/plugins/check_http -a ${AUTH} -I 127.0.0.1 -p 8888 -u '/;csv' --regex=",${appserver},.*,UP.*" -e ' 200 OK')
+    if [ $? != 0 ]; then
+        date >> $LOGFILE
+        echo $output >> $LOGFILE
+        /usr/lib/nagios/plugins/check_http -a ${AUTH} -I 127.0.0.1 -p 8888 -u '/;csv' -v | grep ",${appserver}," >> $LOGFILE 2>&1
+        CRITICAL=1
+        NOTACTIVE="${NOTACTIVE} $appserver"
+    fi
+done
+
+if [ $CRITICAL = 1 ]; then
+    echo "CRITICAL:${NOTACTIVE}"
+    exit 2
+fi
+
+echo "OK: All haproxy instances ($N_INSTANCES) looking good"
+exit 0
--- a/hooks/charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh
+++ b/hooks/charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh
@ -0,0 +1,30 @@
+#!/bin/bash
+#--------------------------------------------
+# This file is managed by Juju
+#--------------------------------------------
+#                                       
+# Copyright 2009,2012 Canonical Ltd.
+# Author: Tom Haddon
+
+# These should be config options at some stage
+CURRQthrsh=0
+MAXQthrsh=100
+
+AUTH=$(grep -r "stats auth" /etc/haproxy | head -1 | awk '{print $4}')
+
+HAPROXYSTATS=$(/usr/lib/nagios/plugins/check_http -a ${AUTH} -I 127.0.0.1 -p 8888 -u '/;csv' -v)
+
+for BACKEND in $(echo $HAPROXYSTATS| xargs -n1 | grep BACKEND | awk -F , '{print $1}')
+do
+    CURRQ=$(echo "$HAPROXYSTATS" | grep $BACKEND | grep BACKEND | cut -d , -f 3)
+    MAXQ=$(echo "$HAPROXYSTATS"  | grep $BACKEND | grep BACKEND | cut -d , -f 4)
+
+    if [[ $CURRQ -gt $CURRQthrsh || $MAXQ -gt $MAXQthrsh ]] ; then
+        echo "CRITICAL: queue depth for $BACKEND - CURRENT:$CURRQ MAX:$MAXQ"
+        exit 2
+    fi
+done
+
+echo "OK: All haproxy queue depths looking good"
+exit 0
+
--- a/hooks/charmhelpers/contrib/openstack/templates/ceph.conf
+++ b/hooks/charmhelpers/contrib/openstack/templates/ceph.conf
@ -0,0 +1,21 @@
+###############################################################################
+# [ WARNING ]
+# cinder configuration file maintained by Juju
+# local changes may be overwritten.
+###############################################################################
+[global]
+{% if auth -%}
+auth_supported = {{ auth }}
+keyring = /etc/ceph/$cluster.$name.keyring
+mon host = {{ mon_hosts }}
+{% endif -%}
+log to syslog = {{ use_syslog }}
+err to syslog = {{ use_syslog }}
+clog to syslog = {{ use_syslog }}
+
+[client]
+{% if rbd_client_cache_settings -%}
+{% for key, value in rbd_client_cache_settings.iteritems() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{%- endif %}
--- a/hooks/charmhelpers/contrib/openstack/templates/git.upstart
+++ b/hooks/charmhelpers/contrib/openstack/templates/git.upstart
@ -0,0 +1,17 @@
+description "{{ service_description }}"
+author "Juju {{ service_name }} Charm <juju@localhost>"
+
+start on runlevel [2345]
+stop on runlevel [!2345]
+
+respawn
+
+exec start-stop-daemon --start --chuid {{ user_name }} \
+            --chdir {{ start_dir }} --name {{ process_name }} \
+            --exec {{ executable_name }} -- \
+            {% for config_file in config_files -%}
+            --config-file={{ config_file }} \
+            {% endfor -%}
+            {% if log_file -%}
+            --log-file={{ log_file }}
+            {% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/haproxy.cfg
+++ b/hooks/charmhelpers/contrib/openstack/templates/haproxy.cfg
@ -0,0 +1,66 @@
+global
+    log {{ local_host }} local0
+    log {{ local_host }} local1 notice
+    maxconn 20000
+    user haproxy
+    group haproxy
+    spread-checks 0
+
+defaults
+    log global
+    mode tcp
+    option tcplog
+    option dontlognull
+    retries 3
+{%- if haproxy_queue_timeout %}
+    timeout queue {{ haproxy_queue_timeout }}
+{%- else %}
+    timeout queue 5000
+{%- endif %}
+{%- if haproxy_connect_timeout %}
+    timeout connect {{ haproxy_connect_timeout }}
+{%- else %}
+    timeout connect 5000
+{%- endif %}
+{%- if haproxy_client_timeout %}
+    timeout client {{ haproxy_client_timeout }}
+{%- else %}
+    timeout client 30000
+{%- endif %}
+{%- if haproxy_server_timeout %}
+    timeout server {{ haproxy_server_timeout }}
+{%- else %}
+    timeout server 30000
+{%- endif %}
+
+listen stats
+    bind {{ local_host }}:{{ stat_port }}
+    mode http
+    stats enable
+    stats hide-version
+    stats realm Haproxy\ Statistics
+    stats uri /
+    stats auth admin:{{ stat_password }}
+
+{% if frontends -%}
+{% for service, ports in service_ports.items() -%}
+frontend tcp-in_{{ service }}
+    bind *:{{ ports[0] }}
+    {% if ipv6 -%}
+    bind :::{{ ports[0] }}
+    {% endif -%}
+    {% for frontend in frontends -%}
+    acl net_{{ frontend }} dst {{ frontends[frontend]['network'] }}
+    use_backend {{ service }}_{{ frontend }} if net_{{ frontend }}
+    {% endfor -%}
+    default_backend {{ service }}_{{ default_backend }}
+
+{% for frontend in frontends -%}
+backend {{ service }}_{{ frontend }}
+    balance leastconn
+    {% for unit, address in frontends[frontend]['backends'].items() -%}
+    server {{ unit }} {{ address }}:{{ ports[1] }} check
+    {% endfor %}
+{% endfor -%}
+{% endfor -%}
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend
+++ b/hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend
@ -0,0 +1,26 @@
+{% if endpoints -%}
+{% for ext_port in ext_ports -%}
+Listen {{ ext_port }}
+{% endfor -%}
+{% for address, endpoint, ext, int in endpoints -%}
+<VirtualHost {{ address }}:{{ ext }}>
+    ServerName {{ endpoint }}
+    SSLEngine on
+    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+    SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
+    SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
+    SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
+    ProxyPass / http://localhost:{{ int }}/
+    ProxyPassReverse / http://localhost:{{ int }}/
+    ProxyPreserveHost on
+</VirtualHost>
+{% endfor -%}
+<Proxy *>
+    Order deny,allow
+    Allow from all
+</Proxy>
+<Location />
+    Order allow,deny
+    Allow from all
+</Location>
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend.conf
+++ b/hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend.conf
@ -0,0 +1,26 @@
+{% if endpoints -%}
+{% for ext_port in ext_ports -%}
+Listen {{ ext_port }}
+{% endfor -%}
+{% for address, endpoint, ext, int in endpoints -%}
+<VirtualHost {{ address }}:{{ ext }}>
+    ServerName {{ endpoint }}
+    SSLEngine on
+    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+    SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
+    SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
+    SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
+    ProxyPass / http://localhost:{{ int }}/
+    ProxyPassReverse / http://localhost:{{ int }}/
+    ProxyPreserveHost on
+</VirtualHost>
+{% endfor -%}
+<Proxy *>
+    Order deny,allow
+    Allow from all
+</Proxy>
+<Location />
+    Order allow,deny
+    Allow from all
+</Location>
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken
+++ b/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken
@ -0,0 +1,12 @@
+{% if auth_host -%}
+[keystone_authtoken]
+auth_uri = {{ service_protocol }}://{{ service_host }}:{{ service_port }}
+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
+auth_plugin = password
+project_domain_id = default
+user_domain_id = default
+project_name = {{ admin_tenant_name }}
+username = {{ admin_user }}
+password = {{ admin_password }}
+signing_dir = {{ signing_dir }}
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy
+++ b/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy
@ -0,0 +1,10 @@
+{% if auth_host -%}
+[keystone_authtoken]
+# Juno specific config (Bug #1557223)
+auth_uri = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/{{ service_admin_prefix }}
+identity_uri = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
+admin_tenant_name = {{ admin_tenant_name }}
+admin_user = {{ admin_user }}
+admin_password = {{ admin_password }}
+signing_dir = {{ signing_dir }}
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-mitaka
+++ b/hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-mitaka
@ -0,0 +1,12 @@
+{% if auth_host -%}
+[keystone_authtoken]
+auth_uri = {{ service_protocol }}://{{ service_host }}:{{ service_port }}
+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = {{ admin_tenant_name }}
+username = {{ admin_user }}
+password = {{ admin_password }}
+signing_dir = {{ signing_dir }}
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo
+++ b/hooks/charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo
@ -0,0 +1,22 @@
+{% if rabbitmq_host or rabbitmq_hosts -%}
+[oslo_messaging_rabbit]
+rabbit_userid = {{ rabbitmq_user }}
+rabbit_virtual_host = {{ rabbitmq_virtual_host }}
+rabbit_password = {{ rabbitmq_password }}
+{% if rabbitmq_hosts -%}
+rabbit_hosts = {{ rabbitmq_hosts }}
+{% if rabbitmq_ha_queues -%}
+rabbit_ha_queues = True
+rabbit_durable_queues = False
+{% endif -%}
+{% else -%}
+rabbit_host = {{ rabbitmq_host }}
+{% endif -%}
+{% if rabbit_ssl_port -%}
+rabbit_use_ssl = True
+rabbit_port = {{ rabbit_ssl_port }}
+{% if rabbit_ssl_ca -%}
+kombu_ssl_ca_certs = {{ rabbit_ssl_ca }}
+{% endif -%}
+{% endif -%}
+{% endif -%}
--- a/hooks/charmhelpers/contrib/openstack/templates/section-zeromq
+++ b/hooks/charmhelpers/contrib/openstack/templates/section-zeromq
@ -0,0 +1,14 @@
+{% if zmq_host -%}
+# ZeroMQ configuration (restart-nonce: {{ zmq_nonce }})
+rpc_backend = zmq
+rpc_zmq_host = {{ zmq_host }}
+{% if zmq_redis_address -%}
+rpc_zmq_matchmaker = redis
+matchmaker_heartbeat_freq = 15
+matchmaker_heartbeat_ttl = 30
+[matchmaker_redis]
+host = {{ zmq_redis_address }}
+{% else -%}
+rpc_zmq_matchmaker = ring
+{% endif -%}
+{% endif -%}
--- a/templates/mitaka/ceilometer.conf
+++ b/templates/mitaka/ceilometer.conf
@ -0,0 +1,40 @@
+# mitaka
+###############################################################################
+# [ WARNING ]
+# ceilometer configuration file maintained by Juju
+# local changes may be overwritten.
+###############################################################################
+[DEFAULT]
+debug = {{ debug }}
+verbose = {{ verbose }}
+logdir = /var/log/ceilometer
+
+{% if use_internal_endpoints -%}
+interface = internal
+{% endif -%}
+
+{% if auth_host -%}
+[service_credentials]
+auth_url = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
+project_name = {{ admin_tenant_name }}
+username = {{ admin_user }}
+password = {{ admin_password }}
+project_domain_id = default
+user_domain_id = default
+auth_type = password
+{% endif -%}
+
+{% if metering_secret -%}
+[publisher]
+telemetry_secret = {{ metering_secret }}
+{% endif -%}
+
+{% include "section-keystone-authtoken-mitaka" %}
+
+{% include "section-rabbitmq-oslo" %}
+
+[database]
+# NOTE(jamespage) this allows the db sync process to run OK for upgrades
+# fixed in icehouse
+backend=sqlalchemy
+connection=sqlite:////var/lib/ceilometer/$sqlite_db
--- a/tests/charmhelpers/contrib/openstack/amulet/deployment.py
+++ b/tests/charmhelpers/contrib/openstack/amulet/deployment.py
@ -156,7 +156,7 @@ class OpenStackAmuletDeployment(AmuletDeployment):
        use_source = list(set(
            use_source + ['mysql', 'mongodb', 'rabbitmq-server', 'ceph',
                          'ceph-osd', 'ceph-radosgw', 'ceph-mon',
-                          'ceph-proxy']))
+                          'ceph-proxy', 'percona-cluster', 'lxd']))

        # Charms which can not use openstack-origin, ie. many subordinates
        no_origin = list(set(
--- a/tests/charmhelpers/contrib/openstack/amulet/utils.py
+++ b/tests/charmhelpers/contrib/openstack/amulet/utils.py
@ -306,10 +306,8 @@ class OpenStackAmuletUtils(AmuletUtils):
                                  password, tenant):
        """Authenticates admin user with cinder."""
        # NOTE(beisner): cinder python client doesn't accept tokens.
-        service_ip = \
-            keystone_sentry.relation('shared-db',
-                                     'mysql:shared-db')['private-address']
-        ept = "http://{}:5000/v2.0".format(service_ip.strip().decode('utf-8'))
+        keystone_ip = keystone_sentry.info['public-address']
+        ept = "http://{}:5000/v2.0".format(keystone_ip.strip().decode('utf-8'))
        return cinder_client.Client(username, password, tenant, ept)

    def authenticate_keystone_admin(self, keystone_sentry, user, password,
@ -319,8 +317,8 @@ class OpenStackAmuletUtils(AmuletUtils):
        self.log.debug('Authenticating keystone admin...')
        unit = keystone_sentry
        if not keystone_ip:
-            keystone_ip = unit.relation('shared-db',
-                                        'mysql:shared-db')['private-address']
+            keystone_ip = keystone_sentry.info['public-address']
+
        base_ep = "http://{}:35357".format(keystone_ip.strip().decode('utf-8'))
        if not api_version or api_version == 2:
            ep = base_ep + "/v2.0"
--- a/unit_tests/test_ceilometer_contexts.py
+++ b/unit_tests/test_ceilometer_contexts.py
@ -43,9 +43,14 @@ class CeilometerContextsTest(CharmTestCase):
            'rabbitmq_virtual_host': 'openstack',
            'rabbit_ssl_ca': None,
            'rabbit_ssl_port': None,
+            'api_version': 3,
            'auth_protocol': 'http',
            'auth_host': 'keystone',
            'auth_port': '80',
+            'service_protocol': 'http',
+            'service_host': 'keystone',
+            'service_port': '80',
+            'signing_dir': '/var/lib/ceilometer',
            'admin_tenant_name': 'admin',
            'admin_user': 'admin',
            'admin_password': 'password',