Merge "Create barbican secrets before sysinv db update"
This commit is contained in:
commit
fd9b85b5a5
|
@ -0,0 +1,117 @@
|
|||
#!/usr/bin/python
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
"""
|
||||
Create barbicans's user, grant it admin role and set up its services and endpoints.
|
||||
|
||||
It's necessary to perform the Barbican endpoint creation outside the
|
||||
openstack_config_endpoints.py script because the registry secrets need to be created
|
||||
before updating the sysinv database..
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
from subprocess import Popen, PIPE
|
||||
|
||||
from keystoneauth1 import loading, session
|
||||
from keystoneclient.v3 import client
|
||||
from sysinv.common import openstack_config_endpoints
|
||||
|
||||
BARBICAN_USER_TO_CREATE = [
|
||||
{
|
||||
"name": "barbican",
|
||||
"password": "",
|
||||
"email": "barbican@localhost",
|
||||
}
|
||||
]
|
||||
|
||||
SERVICES_TO_CREATE = [
|
||||
{
|
||||
"name": "barbican",
|
||||
"description": "BarbicanService",
|
||||
"type": "key-manager",
|
||||
}
|
||||
]
|
||||
|
||||
ENDPOINTS_TO_CREATE = [
|
||||
{
|
||||
"service": "barbican",
|
||||
"region": "RegionOne",
|
||||
"endpoints": {
|
||||
"admin": "http://127.0.0.1:9311",
|
||||
"internal": "http://127.0.0.1:9311",
|
||||
"public": "http://127.0.0.1:9311",
|
||||
},
|
||||
}
|
||||
]
|
||||
|
||||
|
||||
def _retrieve_environment_variables(username, password):
|
||||
with open(os.devnull, "w") as fnull:
|
||||
process = Popen(
|
||||
["bash", "-c", "source /etc/platform/openrc --no_credentials && env"],
|
||||
stdout=PIPE,
|
||||
stderr=fnull,
|
||||
universal_newlines=True,
|
||||
)
|
||||
|
||||
env_vars = {}
|
||||
env_vars["username"] = username
|
||||
env_vars["password"] = password
|
||||
env_vars["user_domain_name"] = "Default"
|
||||
env_vars["project_domain_name"] = "Default"
|
||||
|
||||
for line in process.stdout:
|
||||
key, _, value = line.partition("=")
|
||||
if key == "OS_AUTH_URL":
|
||||
env_vars["auth_url"] = value.strip()
|
||||
elif key == "OS_REGION_NAME":
|
||||
env_vars["region_name"] = value.strip()
|
||||
elif key == "OS_PROJECT_NAME":
|
||||
env_vars["project_name"] = value.strip()
|
||||
elif key == "OS_USER_DOMAIN_NAME":
|
||||
env_vars["user_domain_name"] = value.strip()
|
||||
|
||||
process.communicate()
|
||||
|
||||
return env_vars
|
||||
|
||||
|
||||
def _generate_auth(env_vars):
|
||||
loader = loading.get_plugin_loader("password")
|
||||
|
||||
return loader.load_from_options(
|
||||
auth_url=env_vars["auth_url"],
|
||||
username=env_vars["username"],
|
||||
password=env_vars["password"],
|
||||
project_name=env_vars["project_name"],
|
||||
user_domain_name=env_vars["user_domain_name"],
|
||||
project_domain_name=env_vars["project_domain_name"],
|
||||
)
|
||||
|
||||
|
||||
def _create_keystone_client(env_vars):
|
||||
return client.Client(session=session.Session(auth=_generate_auth(env_vars)))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
username = sys.argv[1]
|
||||
password = sys.argv[2]
|
||||
BARBICAN_USER_TO_CREATE[0]["password"] = sys.argv[3]
|
||||
admin_username = sys.argv[4]
|
||||
|
||||
env_vars = _retrieve_environment_variables(username, password)
|
||||
ENDPOINTS_TO_CREATE[0]["region"] = env_vars["region_name"]
|
||||
|
||||
keystone = _create_keystone_client(env_vars)
|
||||
|
||||
openstack_config_endpoints.create_users(keystone, BARBICAN_USER_TO_CREATE)
|
||||
openstack_config_endpoints.grant_admin_role(
|
||||
keystone, BARBICAN_USER_TO_CREATE, "services"
|
||||
)
|
||||
openstack_config_endpoints.create_services(keystone, SERVICES_TO_CREATE)
|
||||
openstack_config_endpoints.create_endpoints(keystone, ENDPOINTS_TO_CREATE)
|
|
@ -7,6 +7,7 @@
|
|||
# SUB-TASKS DESCRIPTION:
|
||||
# Bootstrap Barbican:
|
||||
# - Generate barbican.conf
|
||||
# - Create Barbican user/service/endpoints
|
||||
# - Configure Barbican DB/User
|
||||
# - Set initial gunicorn-config.py worker value
|
||||
# - Generate barbican-api-logrotate configuration
|
||||
|
@ -14,7 +15,16 @@
|
|||
# - Enable barbican-api service
|
||||
|
||||
- name: Read the required barbican var file contents
|
||||
command: "egrep 'barbican::' {{ hieradata_workdir }}/secure_static.yaml"
|
||||
shell: >-
|
||||
grep -h 'barbican::' secure_static.yaml &&
|
||||
grep -h 'barbican::keystone::authtoken::region_name' static.yaml &&
|
||||
grep -h 'platform::amqp::params::auth_password' secure_static.yaml &&
|
||||
grep -h 'platform::amqp::auth_user' global.yaml &&
|
||||
grep -h 'platform::client::params::' static.yaml &&
|
||||
grep -h 'platform::client::params::' secure_static.yaml &&
|
||||
grep -h 'keystone::roles::admin::admin_tenant' personality.yaml
|
||||
args:
|
||||
chdir: /tmp/puppet/hieradata
|
||||
register: barbican_vars
|
||||
no_log: true
|
||||
|
||||
|
@ -42,6 +52,15 @@
|
|||
group: barbican
|
||||
mode: 0600
|
||||
|
||||
- name: Create barbican endpoints
|
||||
script: >
|
||||
create_barbican_endpoints.py {{ OS_USERNAME }} {{ OS_PASSWORD }} {{ barbican_password }} {{ admin_username }}
|
||||
vars:
|
||||
OS_USERNAME: "{{ barbican_var_dict['keystone::roles::admin::admin_tenant'] }}"
|
||||
OS_PASSWORD: "{{ barbican_var_dict['platform::client::params::admin_password'] }}"
|
||||
barbican_password: "{{ barbican_var_dict['barbican::keystone::auth::password'] }}"
|
||||
admin_username: "{{ barbican_var_dict['platform::client::params::admin_username'] }}"
|
||||
|
||||
- name: Ensure PostgreSQL barbican database and user is created
|
||||
become_user: postgres
|
||||
postgresql_db:
|
||||
|
|
|
@ -300,7 +300,7 @@ sql_connection={{ sql_connection }}
|
|||
# oslo_messaging.TransportURL at
|
||||
# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
|
||||
# (string value)
|
||||
#transport_url = rabbit://
|
||||
transport_url=rabbit://{{ barbican_var_dict['platform::amqp::auth_user'] }}:{{ barbican_var_dict['platform::amqp::params::auth_password'] }}@localhost:5672
|
||||
|
||||
# The default exchange under which topics are scoped. May be
|
||||
# overridden by an exchange name specified in the transport_url
|
||||
|
@ -355,7 +355,7 @@ sql_connection={{ sql_connection }}
|
|||
#client_socket_timeout = 900
|
||||
|
||||
bind_port=9311
|
||||
bind_host=
|
||||
bind_host=[::]
|
||||
|
||||
[certificate]
|
||||
|
||||
|
@ -546,7 +546,7 @@ www_authenticate_uri=http://localhost:5000
|
|||
#insecure = false
|
||||
|
||||
# The region in which the identity server can be found. (string value)
|
||||
#region_name = <None>
|
||||
region_name={{ barbican_var_dict['barbican::keystone::authtoken::region_name'] }}
|
||||
|
||||
# Optionally specify a list of memcached server(s) to use for caching.
|
||||
# If left undefined, tokens will instead be cached in-process. (list
|
||||
|
@ -648,7 +648,7 @@ password={{ barbican_var_dict['barbican::keystone::auth::password'] }}
|
|||
user_domain_name=Default
|
||||
project_name=services
|
||||
project_domain_name=Default
|
||||
auth_url=http://controller.internal:5000
|
||||
auth_url=http://localhost:5000
|
||||
|
||||
[keystone_notifications]
|
||||
|
||||
|
@ -1057,7 +1057,7 @@ enable=True
|
|||
|
||||
# Connect over SSL. (boolean value)
|
||||
# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl
|
||||
ssl=false
|
||||
ssl=False
|
||||
|
||||
# SSL version to use (valid only if SSL enabled). Valid values are
|
||||
# TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be
|
||||
|
|
|
@ -199,90 +199,7 @@
|
|||
|
||||
when: replayed
|
||||
|
||||
- name: Add section [KUBE_APISERVER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "[KUBE_APISERVER]\n"
|
||||
|
||||
- name: Populate k8s kube_apiserver section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ apiserver_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_CONTROLLER_MANAGER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER]\n"
|
||||
|
||||
- name: Populate k8s kube_controller_manager section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ controllermanager_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_SCHEDULER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER]\n"
|
||||
|
||||
- name: Populate k8s kube_scheduler section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ scheduler_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_APISERVER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_APISERVER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_apiserver extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ apiserver_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_controller_manager extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ controllermanager_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_SCHEDULER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_scheduler extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ scheduler_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_KUBELET]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_KUBELET]\n"
|
||||
|
||||
- name: Populate k8s kubelet section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ kubelet_configurations|dict2items }}"
|
||||
|
||||
- block:
|
||||
- name: Add section [USER_DNS_HOST_RECORDS]
|
||||
set_fact:
|
||||
sysinv_user_dns_host_records: "[USER_DNS_HOST_RECORDS]\n"
|
||||
|
||||
- name: Populate user dns host records section
|
||||
set_fact:
|
||||
sysinv_user_dns_host_records: "{{ sysinv_user_dns_host_records }}{{ item }}={{ user_dns_host_records[item] }}\n"
|
||||
loop: "{{ user_dns_host_records.keys() }}"
|
||||
|
||||
when: user_dns_host_records
|
||||
|
||||
- block:
|
||||
- name: Generate config ini file for python sysinv db population script
|
||||
template:
|
||||
src: bootstrap_config.j2
|
||||
dest: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
|
||||
|
||||
- include: update_sysinv_database.yml
|
||||
when: save_config_to_db
|
||||
|
||||
# need to do this here to get the barbican secret id for sysinv
|
||||
- block:
|
||||
- name: Create Barbican secret for k8s registry if credentials exist
|
||||
shell: "source /etc/platform/openrc; openstack secret store -n k8s-registry-secret
|
||||
|
@ -375,6 +292,90 @@
|
|||
|
||||
when: icr_registry.username is defined
|
||||
|
||||
- name: Add section [KUBE_APISERVER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "[KUBE_APISERVER]\n"
|
||||
|
||||
- name: Populate k8s kube_apiserver section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ apiserver_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_CONTROLLER_MANAGER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER]\n"
|
||||
|
||||
- name: Populate k8s kube_controller_manager section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ controllermanager_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_SCHEDULER]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER]\n"
|
||||
|
||||
- name: Populate k8s kube_scheduler section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ scheduler_extra_args|dict2items }}"
|
||||
|
||||
- name: Add section [KUBE_APISERVER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_APISERVER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_apiserver extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ apiserver_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_CONTROLLER_MANAGER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_controller_manager extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ controllermanager_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_SCHEDULER_EXTRA_VOLUMES]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_SCHEDULER_EXTRA_VOLUMES]\n"
|
||||
|
||||
- name: Populate k8s kube_scheduler extra_volumes section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.name}}={{item | to_json}}\n"
|
||||
loop: "{{ scheduler_extra_volumes }}"
|
||||
|
||||
- name: Add section [KUBE_KUBELET]
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}[KUBE_KUBELET]\n"
|
||||
|
||||
- name: Populate k8s kubelet section
|
||||
set_fact:
|
||||
sysinv_k8s_vars: "{{ sysinv_k8s_vars }}{{item.key}}={{item.value}}\n"
|
||||
loop: "{{ kubelet_configurations|dict2items }}"
|
||||
|
||||
- block:
|
||||
- name: Add section [USER_DNS_HOST_RECORDS]
|
||||
set_fact:
|
||||
sysinv_user_dns_host_records: "[USER_DNS_HOST_RECORDS]\n"
|
||||
|
||||
- name: Populate user dns host records section
|
||||
set_fact:
|
||||
sysinv_user_dns_host_records: "{{ sysinv_user_dns_host_records }}{{ item }}={{ user_dns_host_records[item] }}\n"
|
||||
loop: "{{ user_dns_host_records.keys() }}"
|
||||
|
||||
when: user_dns_host_records
|
||||
|
||||
- block:
|
||||
- name: Generate config ini file for python sysinv db population script
|
||||
template:
|
||||
src: bootstrap_config.j2
|
||||
dest: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
|
||||
|
||||
- include: update_sysinv_database.yml
|
||||
when: save_config_to_db
|
||||
|
||||
# Update docker and containerd config files and restart docker and containerd
|
||||
# if docker proxy is configured
|
||||
- block:
|
||||
|
|
Loading…
Reference in New Issue