starlingx
/
config
Code Issues Proposed changes

Containerization, support 2 keystones in sysinv 

Support bare metal and pod based keystone in sysinv.  The existing
keystone_authtoken section of sysinv.conf remains and is used for
platform service authentication, while openstack service authentication
parameters are moved to a new openstack_keystone_authtoken section.
Admin credentials are used in the new openstack_keystone_authtoken
section and the region name parameters are also moved to this new
section.

Change-Id: I7a53dd5a2dc52213e0f1e0cc748649a33f0f9f40
Story: 2002876
Task: 26926
Signed-off-by: Kevin Smith <kevin.smith@windriver.com>
This commit is contained in:
Kevin Smith 2018-10-05 14:04:58 -04:00
parent a275d8171a
commit 3a91cbae4d
4 changed files with 237 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/api.pp
View File

@ -22,12 +22,13 @@
#
# === Parameters
#
# [*keystone_password*]
# The password to use for authentication (keystone)
#
# [*keystone_enabled*]
# (optional) Use keystone for authentification
# Defaults to true
# Applies to both bare metal and pod based keystones
#
# [*keystone_password*]
# The password to use for authentication (keystone)
#
# [*keystone_tenant*]
# (optional) The tenant of the auth user
@ -88,6 +89,58 @@
# (optional) The state of the service
# Defaults to true
#
# [*openstack_keystone_tenant*]
# (optional) The tenant of the auth user
# Defaults to admin
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_user*]
# (optional) The name of the auth user
# Defaults to admin
# For pod based keystone for authentication with openstack services
#
# [*openstack_keyring_service*]
# (optional) The keyring service from which to retrieve the password
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_auth_host*]
# (optional) The keystone host
# Defaults to localhost
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_auth_port*]
# (optional) The keystone auth port
# Defaults to 5000
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_auth_protocol*]
# (optional) The protocol used to access the auth host
# Defaults to http.
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_auth_admin_prefix*]
# (optional) The admin_prefix used to admin endpoint of the auth host
# This allow admin auth URIs like http://auth_host:5000/keystone.
# (where '/keystone' is the admin prefix)
# Defaults to false for empty. If defined, should be a string with a
# leading '/' and no trailing '/'.
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_user_domain*]
# (Optional) domain name for auth user.
# Defaults to 'Default'.
# For pod based keystone for authentication with openstack services
#
# [*openstack_keystone_project_domain*]
# (Optional) domain name for auth project.
# Defaults to 'Default'.
# For pod based keystone for authentication with openstack services
#
# [*openstack_auth_type*]
# (Optional) Authentication type to load.
# Defaults to 'password'.
# For pod based keystone for authentication with openstack services
#
class sysinv::api (
$keystone_password,
$keystone_enabled = true,
@ -103,6 +156,19 @@ class sysinv::api (
$keystone_user_domain = 'Default',
$keystone_project_domain = 'Default',
$auth_type = 'password',
$openstack_keystone_tenant = 'admin',
$openstack_keystone_user = 'admin',
$openstack_keyring_service = undef,
$openstack_keystone_auth_host = 'localhost',
$openstack_keystone_auth_port = '5000',
$openstack_keystone_auth_protocol = 'http',
$openstack_keystone_auth_admin_prefix = false,
$openstack_keystone_auth_uri = false,
$openstack_keystone_auth_version = false,
$openstack_keystone_identity_uri = false,
$openstack_keystone_user_domain = 'Default',
$openstack_keystone_project_domain = 'Default',
$openstack_auth_type = 'password',
$service_port = '5000',
$package_ensure = 'latest',
$bind_host = '0.0.0.0',
@ -145,6 +211,12 @@ class sysinv::api (
sysinv_api_paste_ini { 'filter:authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; }
}
if $openstack_keystone_identity_uri {
sysinv_config { 'openstack_keystone_authtoken/auth_url': value => $openstack_keystone_identity_uri; }
} else {
sysinv_config { 'openstack_keystone_authtoken/auth_url': value => "${openstack_keystone_auth_protocol}://${openstack_keystone_auth_host}:5000/"; }
}
if $keystone_auth_uri {
sysinv_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; }
sysinv_api_paste_ini { 'filter:authtoken/auth_uri': value => $keystone_auth_uri; }
@ -157,6 +229,14 @@ class sysinv::api (
}
}
if $openstack_keystone_auth_uri {
sysinv_config { 'openstack_keystone_authtoken/auth_uri': value => $openstack_keystone_auth_uri; }
} else {
sysinv_config {
'openstack_keystone_authtoken/auth_uri': value => "${openstack_keystone_auth_protocol}://${openstack_keystone_auth_host}:5000/";
}
}
if $keystone_auth_version {
sysinv_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; }
sysinv_api_paste_ini { 'filter:authtoken/auth_version': value => $keystone_auth_version; }
@ -165,6 +245,12 @@ class sysinv::api (
sysinv_api_paste_ini { 'filter:authtoken/auth_version': ensure => absent; }
}
if $openstack_keystone_auth_version {
sysinv_config { 'openstack_keystone_authtoken/auth_version': value => $openstack_keystone_auth_version; }
} else {
sysinv_config { 'openstack_keystone_authtoken/auth_version': ensure => absent; }
}
if $keystone_enabled {
sysinv_config {
'DEFAULT/auth_strategy': value => 'keystone' ;
@ -177,6 +263,14 @@ class sysinv::api (
'keystone_authtoken/user_domain_name': value => $keystone_user_domain;
'keystone_authtoken/project_domain_name': value => $keystone_project_domain;
}
sysinv_config {
'openstack_keystone_authtoken/auth_type': value => $openstack_auth_type;
'openstack_keystone_authtoken/project_name': value => $openstack_keystone_tenant;
'openstack_keystone_authtoken/username': value => $openstack_keystone_user;
'openstack_keystone_authtoken/user_domain_name': value => $openstack_keystone_user_domain;
'openstack_keystone_authtoken/project_domain_name': value => $openstack_keystone_project_domain;
'openstack_keystone_authtoken/keyring_service': value => $openstack_keyring_service;
}
sysinv_api_paste_ini {
'filter:authtoken/project_name': value => $keystone_tenant;
@ -202,6 +296,18 @@ class sysinv::api (
'filter:authtoken/auth_admin_prefix': ensure => absent;
}
}
if $openstack_keystone_auth_admin_prefix {
validate_re($openstack_keystone_auth_admin_prefix, '^(/.+[^/])?$')
sysinv_config {
'openstack_keystone_authtoken/auth_admin_prefix': value => $openstack_keystone_auth_admin_prefix;
}
} else {
sysinv_config {
'openstack_keystone_authtoken/auth_admin_prefix': ensure => absent;
}
}
}
else
{

9
puppet-modules-wrs/puppet-sysinv/src/sysinv/manifests/init.pp
View File

@ -195,10 +195,11 @@ class sysinv (
sysinv_config {
'keystone_authtoken/region_name': value => $region_name;
'keystone_authtoken/neutron_region_name': value => $neutron_region_name;
'keystone_authtoken/cinder_region_name': value => $cinder_region_name;
'keystone_authtoken/nova_region_name': value => $nova_region_name;
'keystone_authtoken/magnum_region_name': value => $magnum_region_name;
'openstack_keystone_authtoken/region_name': value => $region_name;
'openstack_keystone_authtoken/neutron_region_name': value => $neutron_region_name;
'openstack_keystone_authtoken/cinder_region_name': value => $cinder_region_name;
'openstack_keystone_authtoken/nova_region_name': value => $nova_region_name;
'openstack_keystone_authtoken/magnum_region_name': value => $magnum_region_name;
}
sysinv_config {

168
sysinv/sysinv/sysinv/sysinv/conductor/openstack.py
View File

@ -11,6 +11,7 @@
""" System Inventory Openstack Utilities and helper functions."""
import keyring
from cinderclient.v2 import client as cinder_client_v2
from sysinv.common import constants
from sysinv.common import exception
@ -23,7 +24,6 @@ from neutronclient.v2_0 import client as neutron_client_v2_0
from oslo_config import cfg
from keystoneclient.v3 import client as keystone_client
from keystoneclient.auth.identity import v3
from keystoneclient import exceptions as identity_exc
from keystoneclient import session
from sqlalchemy.orm import exc
from magnumclient.v1 import client as magnum_client_v1
@ -60,18 +60,6 @@ keystone_opts = [
cfg.StrOpt('region_name',
default='RegionOne',
help=_("Region Name")),
cfg.StrOpt('neutron_region_name',
default='RegionOne',
help=_("Neutron Region Name")),
cfg.StrOpt('cinder_region_name',
default='RegionOne',
help=_("Cinder Region Name")),
cfg.StrOpt('nova_region_name',
default='RegionOne',
help=_("Nova Region Name")),
cfg.StrOpt('magnum_region_name',
default='RegionOne',
help=_("Magnum Region Name")),
cfg.StrOpt('username',
default='sysinv',
help=_("Sysinv keystone user name")),
@ -89,8 +77,52 @@ keystone_opts = [
help=_("Sysinv keystone user project domain name"))
]
openstack_keystone_opts = [
cfg.StrOpt('keyring_service',
default='CGCS',
help=_("Keyring service")),
cfg.StrOpt('auth_uri',
default='http://192.168.204.2:5000/',
help=_("Authentication URI")),
cfg.StrOpt('auth_url',
default='http://127.0.0.1:5000/',
help=_("Admin Authentication URI")),
cfg.StrOpt('region_name',
default='RegionOne',
help=_("Region Name")),
cfg.StrOpt('username',
default='admin',
help=_("keystone user name")),
cfg.StrOpt('neutron_region_name',
default='RegionOne',
help=_("Neutron Region Name")),
cfg.StrOpt('cinder_region_name',
default='RegionOne',
help=_("Cinder Region Name")),
cfg.StrOpt('nova_region_name',
default='RegionOne',
help=_("Nova Region Name")),
cfg.StrOpt('magnum_region_name',
default='RegionOne',
help=_("Magnum Region Name")),
cfg.StrOpt('project_name',
default='admin',
help=_("keystone user project name")),
cfg.StrOpt('user_domain_name',
default='Default',
help=_("keystone user domain name")),
cfg.StrOpt('project_domain_name',
default='Default',
help=_("keystone user project domain name"))
]
# Register the configuration options
cfg.CONF.register_opts(keystone_opts, "KEYSTONE_AUTHTOKEN")
PLATFORM_CONFIG = 'KEYSTONE_AUTHTOKEN'
OPENSTACK_CONFIG = 'OPENSTACK_KEYSTONE_AUTHTOKEN'
cfg.CONF.register_opts(keystone_opts, PLATFORM_CONFIG)
cfg.CONF.register_opts(openstack_keystone_opts, OPENSTACK_CONFIG)
class OpenStackOperator(object):
@ -105,7 +137,19 @@ class OpenStackOperator(object):
self.nova_client = None
self.neutron_client = None
self._neutron_extension_list = []
self.auth_url = cfg.CONF.KEYSTONE_AUTHTOKEN.auth_url + "/v3"
self._auth_url = cfg.CONF[PLATFORM_CONFIG].auth_url + "/v3"
self._openstack_auth_url = cfg.CONF[OPENSTACK_CONFIG].auth_url + "/v3"
def _get_auth_url(self, service_config):
if service_config == PLATFORM_CONFIG:
return self._auth_url
elif service_config == OPENSTACK_CONFIG:
return self._openstack_auth_url
else:
LOG.error("Unrecognized keystone service configuration. "
"service_config=%s" % (service_config))
raise exception.InvalidParameterValue(
_("Unrecognized keystone service_config."))
#################
# NEUTRON
@ -116,10 +160,10 @@ class OpenStackOperator(object):
# neutronclient doesn't yet support v3 keystone auth
# use keystoneauth.session
self.neutron_client = neutron_client_v2_0.Client(
session=self._get_keystone_session(),
auth_url=self.auth_url,
session=self._get_keystone_session(OPENSTACK_CONFIG),
auth_url=self._get_auth_url(OPENSTACK_CONFIG),
endpoint_type='internalURL',
region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.neutron_region_name)
region_name=cfg.CONF[OPENSTACK_CONFIG].neutron_region_name)
return self.neutron_client
def get_providernetworksdict(self, pn_names=None, quiet=False):
@ -243,11 +287,11 @@ class OpenStackOperator(object):
# novaclient doesn't yet support v3 keystone auth
# use keystoneauth.session
self.nova_client = nova_client_v2.Client(
session=self._get_keystone_session(),
auth_url=self.auth_url,
session=self._get_keystone_session(OPENSTACK_CONFIG),
auth_url=self._get_auth_url(OPENSTACK_CONFIG),
endpoint_type='internalURL',
direct_use=False,
region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.nova_region_name)
region_name=cfg.CONF[OPENSTACK_CONFIG].nova_region_name)
return self.nova_client
def try_interface_get_by_host(self, host_uuid):
@ -639,49 +683,49 @@ class OpenStackOperator(object):
#################
# Keystone
#################
def _get_keystone_session(self):
def _get_keystone_session(self, service_config):
if not self.keystone_session:
auth = v3.Password(auth_url=self.auth_url,
username=cfg.CONF.KEYSTONE_AUTHTOKEN.username,
password=cfg.CONF.KEYSTONE_AUTHTOKEN.password,
user_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN.
if service_config == OPENSTACK_CONFIG:
password = keyring.get_password(cfg.CONF[OPENSTACK_CONFIG].
keyring_service,
cfg.CONF[OPENSTACK_CONFIG].
username)
else:
password = cfg.CONF[service_config].password
auth = v3.Password(auth_url=self._get_auth_url(service_config),
username=cfg.CONF[service_config].username,
password=password,
user_domain_name=cfg.CONF[service_config].
user_domain_name,
project_name=cfg.CONF.KEYSTONE_AUTHTOKEN.
project_name=cfg.CONF[service_config].
project_name,
project_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN.
project_domain_name=cfg.CONF[service_config].
project_domain_name)
self.keystone_session = session.Session(auth=auth)
return self.keystone_session
def _get_keystoneclient(self):
def _get_keystoneclient(self, service_config):
if service_config == OPENSTACK_CONFIG:
password = keyring.get_password(cfg.CONF[OPENSTACK_CONFIG].
keyring_service,
cfg.CONF[OPENSTACK_CONFIG].
username)
else:
password = cfg.CONF[service_config].password
if not self.keystone_client: # should not cache this forever
self.keystone_client = keystone_client.Client(
username=cfg.CONF.KEYSTONE_AUTHTOKEN.username,
user_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN.user_domain_name,
project_name=cfg.CONF.KEYSTONE_AUTHTOKEN.project_name,
project_domain_name=cfg.CONF.KEYSTONE_AUTHTOKEN
username=cfg.CONF[service_config].username,
user_domain_name=cfg.CONF[service_config].user_domain_name,
project_name=cfg.CONF[service_config].project_name,
project_domain_name=cfg.CONF[service_config]
.project_domain_name,
password=cfg.CONF.KEYSTONE_AUTHTOKEN.password,
auth_url=self.auth_url,
region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.region_name)
password=password,
auth_url=self._get_auth_url(service_config),
region_name=cfg.CONF[service_config].region_name)
return self.keystone_client
def _get_identity_id(self):
try:
LOG.debug("Search service id for : (%s)" %
constants.SERVICE_TYPE_IDENTITY)
service = self._get_keystoneclient().services.find(
type=constants.SERVICE_TYPE_IDENTITY)
except identity_exc.NotFound:
LOG.error("Could not find service id for (%s)" %
constants.SERVICE_TYPE_IDENTITY)
return None
except identity_exc.NoUniqueMatch:
LOG.error("Multiple service matches found for (%s)" %
constants.SERVICE_TYPE_IDENTITY)
return None
return service.id
#################
# Cinder
#################
@ -692,10 +736,10 @@ class OpenStackOperator(object):
region1_name = get_region_name('region_1_name')
if region1_name is None:
region1_name = 'RegionOne'
service_list = self._get_keystoneclient().services.list()
service_list = self._get_keystoneclient(OPENSTACK_CONFIG).services.list()
for s in service_list:
if s.name.find(constants.SERVICE_TYPE_CINDER) != -1:
endpoint_list += self._get_keystoneclient().endpoints.list(
endpoint_list += self._get_keystoneclient(OPENSTACK_CONFIG).endpoints.list(
service=s, region=region1_name)
except Exception:
LOG.error("Failed to get keystone endpoints for cinder.")
@ -704,10 +748,10 @@ class OpenStackOperator(object):
def _get_cinderclient(self):
if not self.cinder_client:
self.cinder_client = cinder_client_v2.Client(
session=self._get_keystone_session(),
auth_url=self.auth_url,
session=self._get_keystone_session(OPENSTACK_CONFIG),
auth_url=self._get_auth_url(OPENSTACK_CONFIG),
endpoint_type='internalURL',
region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.cinder_region_name)
region_name=cfg.CONF[OPENSTACK_CONFIG].cinder_region_name)
return self.cinder_client
@ -817,7 +861,7 @@ class OpenStackOperator(object):
region1_name = get_region_name('region_1_name')
if region1_name is None:
region1_name = 'RegionOne'
auth_ref = self._get_keystoneclient().auth_ref
auth_ref = self._get_keystoneclient(PLATFORM_CONFIG).auth_ref
if auth_ref is None:
raise exception.SysinvException(_("Unable to get auth ref "
"from keystone client"))
@ -830,7 +874,7 @@ class OpenStackOperator(object):
version = 1
return cgts_client.Client(version=version,
endpoint=endpoint['url'],
auth_url=self.auth_url,
auth_url=self._get_auth_url(PLATFORM_CONFIG),
token=auth_token['id'])
def get_ceph_mon_info(self):
@ -879,11 +923,11 @@ class OpenStackOperator(object):
# because neutron and nova client doesn't
# and I shamelessly copied them
self.magnum_client = magnum_client_v1.Client(
session=self._get_keystone_session(),
auth_url=self.auth_url,
session=self._get_keystone_session(OPENSTACK_CONFIG),
auth_url=self._get_auth_url(OPENSTACK_CONFIG),
endpoint_type='internalURL',
direct_use=False,
region_name=cfg.CONF.KEYSTONE_AUTHTOKEN.magnum_region_name)
region_name=cfg.CONF[OPENSTACK_CONFIG].magnum_region_name)
return self.magnum_client
def get_magnum_cluster_count(self):

17
sysinv/sysinv/sysinv/sysinv/puppet/inventory.py
View File

@ -16,6 +16,8 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
SERVICE_PORT = 6385
SERVICE_PATH = 'v1'
OPENSTACK_KEYRING_SERVICE = 'CGCS'
def get_static_config(self):
dbuser = self._get_database_username(self.SERVICE_NAME)
@ -79,6 +81,21 @@ class SystemInventoryPuppet(openstack.OpenstackBasePuppet):
'openstack::sysinv::params::region_name': self.get_region_name(),
'platform::sysinv::params::service_create':
self._to_create_services(),
'sysinv::api::openstack_keystone_auth_uri':
self._keystone_auth_uri(),
'sysinv::api::openstack_keystone_identity_uri':
self._keystone_identity_uri(),
'sysinv::api::openstack_keystone_user_domain':
self._operator.keystone.get_admin_user_domain(),
'sysinv::api::openstack_keystone_project_domain':
self._operator.keystone.get_admin_project_domain(),
'sysinv::api::openstack_keystone_user':
self._operator.keystone.get_admin_user_name(),
'sysinv::api::openstack_keystone_tenant':
self._operator.keystone.get_admin_project_name(),
'sysinv::api::openstack_keyring_service':
self.OPENSTACK_KEYRING_SERVICE
}
def get_secure_system_config(self):