Merge "Create barbican secrets before sysinv db update"

2024-05-10 13:57:38 +00:00 · 2024-05-10 13:57:38 +00:00 · fd9b85b5a5
parent a51946c563 cee20d96fc
commit fd9b85b5a5
4 changed files with 227 additions and 90 deletions
--- a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/files/create_barbican_endpoints.py
+++ b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/files/create_barbican_endpoints.py
@ -0,0 +1,117 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+"""
+Create barbicans's user, grant it admin role and set up its services and endpoints.
+
+It's necessary to perform the Barbican endpoint creation outside the
+openstack_config_endpoints.py script because the registry secrets need to be created
+before updating the sysinv database..
+"""
+
+import os
+import sys
+from subprocess import Popen, PIPE
+
+from keystoneauth1 import loading, session
+from keystoneclient.v3 import client
+from sysinv.common import openstack_config_endpoints
+
+BARBICAN_USER_TO_CREATE = [
+    {
+        "name": "barbican",
+        "password": "",
+        "email": "barbican@localhost",
+    }
+]
+
+SERVICES_TO_CREATE = [
+    {
+        "name": "barbican",
+        "description": "BarbicanService",
+        "type": "key-manager",
+    }
+]
+
+ENDPOINTS_TO_CREATE = [
+    {
+        "service": "barbican",
+        "region": "RegionOne",
+        "endpoints": {
+            "admin": "http://127.0.0.1:9311",
+            "internal": "http://127.0.0.1:9311",
+            "public": "http://127.0.0.1:9311",
+        },
+    }
+]
+
+
+def _retrieve_environment_variables(username, password):
+    with open(os.devnull, "w") as fnull:
+        process = Popen(
+            ["bash", "-c", "source /etc/platform/openrc --no_credentials && env"],
+            stdout=PIPE,
+            stderr=fnull,
+            universal_newlines=True,
+        )
+
+    env_vars = {}
+    env_vars["username"] = username
+    env_vars["password"] = password
+    env_vars["user_domain_name"] = "Default"
+    env_vars["project_domain_name"] = "Default"
+
+    for line in process.stdout:
+        key, _, value = line.partition("=")
+        if key == "OS_AUTH_URL":
+            env_vars["auth_url"] = value.strip()
+        elif key == "OS_REGION_NAME":
+            env_vars["region_name"] = value.strip()
+        elif key == "OS_PROJECT_NAME":
+            env_vars["project_name"] = value.strip()
+        elif key == "OS_USER_DOMAIN_NAME":
+            env_vars["user_domain_name"] = value.strip()
+
+    process.communicate()
+
+    return env_vars
+
+
+def _generate_auth(env_vars):
+    loader = loading.get_plugin_loader("password")
+
+    return loader.load_from_options(
+        auth_url=env_vars["auth_url"],
+        username=env_vars["username"],
+        password=env_vars["password"],
+        project_name=env_vars["project_name"],
+        user_domain_name=env_vars["user_domain_name"],
+        project_domain_name=env_vars["project_domain_name"],
+    )
+
+
+def _create_keystone_client(env_vars):
+    return client.Client(session=session.Session(auth=_generate_auth(env_vars)))
+
+
+if __name__ == "__main__":
+    username = sys.argv[1]
+    password = sys.argv[2]
+    BARBICAN_USER_TO_CREATE[0]["password"] = sys.argv[3]
+    admin_username = sys.argv[4]
+
+    env_vars = _retrieve_environment_variables(username, password)
+    ENDPOINTS_TO_CREATE[0]["region"] = env_vars["region_name"]
+
+    keystone = _create_keystone_client(env_vars)
+
+    openstack_config_endpoints.create_users(keystone, BARBICAN_USER_TO_CREATE)
+    openstack_config_endpoints.grant_admin_role(
+        keystone, BARBICAN_USER_TO_CREATE, "services"
+    )
+    openstack_config_endpoints.create_services(keystone, SERVICES_TO_CREATE)
+    openstack_config_endpoints.create_endpoints(keystone, ENDPOINTS_TO_CREATE)
--- a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/barbican_bootstrap.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/barbican_bootstrap.yml
@ -7,6 +7,7 @@
 # SUB-TASKS DESCRIPTION:
 #   Bootstrap Barbican:
 #     - Generate barbican.conf
+#     - Create Barbican user/service/endpoints
 #     - Configure Barbican DB/User
 #     - Set initial gunicorn-config.py worker value
 #     - Generate barbican-api-logrotate configuration
@ -14,7 +15,16 @@
 #     - Enable barbican-api service

 - name: Read the required barbican var file contents
-  command: "egrep 'barbican::' {{ hieradata_workdir }}/secure_static.yaml"
+  shell: >-
+    grep -h 'barbican::' secure_static.yaml &&
+    grep -h 'barbican::keystone::authtoken::region_name' static.yaml &&
+    grep -h 'platform::amqp::params::auth_password' secure_static.yaml &&
+    grep -h 'platform::amqp::auth_user' global.yaml &&
+    grep -h 'platform::client::params::' static.yaml &&
+    grep -h 'platform::client::params::' secure_static.yaml &&
+    grep -h 'keystone::roles::admin::admin_tenant' personality.yaml
+  args:
+    chdir: /tmp/puppet/hieradata
  register: barbican_vars
  no_log: true

@ -42,6 +52,15 @@
    group: barbican
    mode: 0600

+- name: Create barbican endpoints
+  script: >
+    create_barbican_endpoints.py {{ OS_USERNAME }} {{ OS_PASSWORD }} {{ barbican_password }} {{ admin_username }}
+  vars:
+    OS_USERNAME: "{{ barbican_var_dict['keystone::roles::admin::admin_tenant'] }}"
+    OS_PASSWORD: "{{ barbican_var_dict['platform::client::params::admin_password'] }}"
+    barbican_password: "{{ barbican_var_dict['barbican::keystone::auth::password'] }}"
+    admin_username: "{{ barbican_var_dict['platform::client::params::admin_username'] }}"
+
 - name: Ensure PostgreSQL barbican database and user is created
  become_user: postgres
  postgresql_db:
--- a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/templates/barbican.conf.j2
+++ b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/templates/barbican.conf.j2
@ -300,7 +300,7 @@ sql_connection={{ sql_connection }}
 # oslo_messaging.TransportURL at
 # https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
 # (string value)
-#transport_url = rabbit://
+transport_url=rabbit://{{ barbican_var_dict['platform::amqp::auth_user'] }}:{{ barbican_var_dict['platform::amqp::params::auth_password'] }}@localhost:5672

 # The default exchange under which topics are scoped. May be
 # overridden by an exchange name specified in the transport_url
@ -355,7 +355,7 @@ sql_connection={{ sql_connection }}
 #client_socket_timeout = 900

 bind_port=9311
-bind_host=
+bind_host=[::]

 [certificate]

@ -546,7 +546,7 @@ www_authenticate_uri=http://localhost:5000
 #insecure = false

 # The region in which the identity server can be found. (string value)
-#region_name = <None>
+region_name={{ barbican_var_dict['barbican::keystone::authtoken::region_name'] }}

 # Optionally specify a list of memcached server(s) to use for caching.
 # If left undefined, tokens will instead be cached in-process. (list
@ -648,7 +648,7 @@ password={{ barbican_var_dict['barbican::keystone::auth::password'] }}
 user_domain_name=Default
 project_name=services
 project_domain_name=Default
-auth_url=http://controller.internal:5000
+auth_url=http://localhost:5000

 [keystone_notifications]

@ -1057,7 +1057,7 @@ enable=True

 # Connect over SSL. (boolean value)
 # Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl
-ssl=false
+ssl=False

 # SSL version to use (valid only if SSL enabled). Valid values are
 # TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be
--- a/playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/main.yml
@ -199,90 +199,7 @@

  when: replayed

- name: Add section [KUBE_APISERVER]
-  set_fact:
-    sysinv_k8s_vars: "[KUBE_APISERVER]\n"
-
- name: Populate k8s kube_apiserver section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
-  loop: "{{ apiserver_extra_args|dict2items }}"
-
- name: Add section [KUBE_CONTROLLER_MANAGER]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER]\n"
-
- name: Populate k8s kube_controller_manager section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
-  loop: "{{ controllermanager_extra_args|dict2items }}"
-
- name: Add section [KUBE_SCHEDULER]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER]\n"
-
- name: Populate k8s kube_scheduler section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
-  loop: "{{ scheduler_extra_args|dict2items }}"
-
- name: Add section [KUBE_APISERVER_EXTRA_VOLUMES]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_APISERVER_EXTRA_VOLUMES]\n"
-
- name: Populate k8s kube_apiserver extra_volumes section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
-  loop: "{{ apiserver_extra_volumes }}"
-
- name: Add section [KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]\n"
-
- name: Populate k8s kube_controller_manager extra_volumes section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
-  loop: "{{ controllermanager_extra_volumes }}"
-
- name: Add section [KUBE_SCHEDULER_EXTRA_VOLUMES]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER_EXTRA_VOLUMES]\n"
-
- name: Populate k8s kube_scheduler extra_volumes section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
-  loop: "{{ scheduler_extra_volumes }}"
-
- name: Add section [KUBE_KUBELET]
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_KUBELET]\n"
-
- name: Populate k8s kubelet section
-  set_fact:
-    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
-  loop: "{{ kubelet_configurations|dict2items }}"
-
- block:
-  - name: Add section [USER_DNS_HOST_RECORDS]
-    set_fact:
-      sysinv_user_dns_host_records: "[USER_DNS_HOST_RECORDS]\n"
-
-  - name: Populate user dns host records section
-    set_fact:
-      sysinv_user_dns_host_records: "{{ sysinv_user_dns_host_records }}{{ item }}={{ user_dns_host_records[item] }}\n"
-    loop: "{{ user_dns_host_records.keys() }}"
-
-  when: user_dns_host_records
-
- block:
-  - name: Generate config ini file for python sysinv db population script
-    template:
-      src: bootstrap_config.j2
-      dest: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
-
-  - include: update_sysinv_database.yml
-  when: save_config_to_db
-
+# need to do this here to get the barbican secret id for sysinv
 - block:
  - name: Create Barbican secret for k8s registry if credentials exist
    shell: "source /etc/platform/openrc; openstack secret store -n k8s-registry-secret
@ -375,6 +292,90 @@

  when: icr_registry.username is defined

+- name: Add section [KUBE_APISERVER]
+  set_fact:
+    sysinv_k8s_vars: "[KUBE_APISERVER]\n"
+
+- name: Populate k8s kube_apiserver section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
+  loop: "{{ apiserver_extra_args|dict2items }}"
+
+- name: Add section [KUBE_CONTROLLER_MANAGER]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER]\n"
+
+- name: Populate k8s kube_controller_manager section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
+  loop: "{{ controllermanager_extra_args|dict2items }}"
+
+- name: Add section [KUBE_SCHEDULER]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER]\n"
+
+- name: Populate k8s kube_scheduler section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
+  loop: "{{ scheduler_extra_args|dict2items }}"
+
+- name: Add section [KUBE_APISERVER_EXTRA_VOLUMES]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_APISERVER_EXTRA_VOLUMES]\n"
+
+- name: Populate k8s kube_apiserver extra_volumes section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
+  loop: "{{ apiserver_extra_volumes }}"
+
+- name: Add section [KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]\n"
+
+- name: Populate k8s kube_controller_manager extra_volumes section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
+  loop: "{{ controllermanager_extra_volumes }}"
+
+- name: Add section [KUBE_SCHEDULER_EXTRA_VOLUMES]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER_EXTRA_VOLUMES]\n"
+
+- name: Populate k8s kube_scheduler extra_volumes section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
+  loop: "{{ scheduler_extra_volumes }}"
+
+- name: Add section [KUBE_KUBELET]
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_KUBELET]\n"
+
+- name: Populate k8s kubelet section
+  set_fact:
+    sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
+  loop: "{{ kubelet_configurations|dict2items }}"
+
+- block:
+  - name: Add section [USER_DNS_HOST_RECORDS]
+    set_fact:
+      sysinv_user_dns_host_records: "[USER_DNS_HOST_RECORDS]\n"
+
+  - name: Populate user dns host records section
+    set_fact:
+      sysinv_user_dns_host_records: "{{ sysinv_user_dns_host_records }}{{ item }}={{ user_dns_host_records[item] }}\n"
+    loop: "{{ user_dns_host_records.keys() }}"
+
+  when: user_dns_host_records
+
+- block:
+  - name: Generate config ini file for python sysinv db population script
+    template:
+      src: bootstrap_config.j2
+      dest: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
+
+  - include: update_sysinv_database.yml
+  when: save_config_to_db
+
 # Update docker and containerd config files and restart docker and containerd
 # if docker proxy is configured
 - block: