From 5afd5f90b29f6e097824f7c6f2fe7762597d9ad6 Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Tue, 5 Nov 2019 00:12:26 -0500
Subject: [PATCH] update Barbican admin secret's user/project IDs during
 bootstrap

In a DC system when subcloud is managed, keystone user/project IDs are
synced with Central Cloud, including admin user and project. But the
admin's secrets in Barbian still use the original user/project IDs,
causing docker registry access failure when platform-integ-apps is
reapplied.

This change added a patch to keystone puppet manifest, that updates
keystone admin user/project IDs to be the same as Central Cloud right
after keystone is bootstrapped during subcloud deployment. This way any
referece to admin user/project IDs after bootstrap will be using the
IDs same as Central Cloud, including the ones in Barbican. This will
solve the problem of retrieving central registry credential failure
when platform-integ-apps is reapplied.

Change-Id: I509a06b4b810620a1b3648837726f7f2771162a5
Closes-Bug: 1851247
Signed-off-by: Andy Ning <andy.ning@windriver.com>
---
 .../centos/build_srpm.data                    |  2 +-
 ...ican-admin-secret-s-user-project-IDs.patch | 33 ++++++++++
 .../centos/meta_patches/PATCH_ORDER           |  1 +
 ...admin-secret-s-user-project-IDs-duri.patch | 63 +++++++++++++++++++
 4 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch
 create mode 100644 config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch

diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data
index 898fe26d9..c428b1f1d 100644
--- a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data
+++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data
@@ -1 +1 @@
-TIS_PATCH_VER=8
+TIS_PATCH_VER=9
diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch
new file mode 100644
index 000000000..b596409f3
--- /dev/null
+++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch
@@ -0,0 +1,33 @@
+From a53d9bfc15e1d24a604fcc461f9a6e1483ed262d Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Mon, 4 Nov 2019 20:51:22 -0500
+Subject: [PATCH 1/1] update Barbican admin secret's user/project IDs
+
+Signed-off-by: Andy Ning <andy.ning@windriver.com>
+---
+ SPECS/puppet-keystone.spec | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SPECS/puppet-keystone.spec b/SPECS/puppet-keystone.spec
+index 5b5e255..ae233f0 100644
+--- a/SPECS/puppet-keystone.spec
++++ b/SPECS/puppet-keystone.spec
+@@ -15,6 +15,7 @@ Patch0002:      0002-remove-the-Keystone-admin-app.patch
+ Patch0003:      0003-remove-eventlet_bindhost-from-Keystoneconf.patch
+ Patch0004:      0004-escape-special-characters-in-bootstrap.patch
+ Patch0005:      0005-Add-support-for-fernet-receipts.patch
++Patch0006:      0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch
+
+ BuildArch:      noarch
+
+@@ -37,6 +38,7 @@ Puppet module for OpenStack Keystone
+ %patch0003 -p1
+ %patch0004 -p1
+ %patch0005 -p1
++%patch0006 -p1
+
+ find . -type f -name ".*" -exec rm {} +
+ find . -size 0 -exec rm {} +
+--
+1.8.3.1
+
diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER
index be22cf58c..ce35c5e99 100644
--- a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER
+++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER
@@ -4,3 +4,4 @@
 0004-remove-eventlet_and_bindhost-from-keystoneconf.patch
 0005-escape-special-characters-in-bootstrap.patch
 0006-Add-support-for-fernet-receipts.patch
+0007-update-Barbican-admin-secret-s-user-project-IDs.patch
diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch
new file mode 100644
index 000000000..0132b487f
--- /dev/null
+++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch
@@ -0,0 +1,63 @@
+From 60f023e20c7e1f98d1f71fb04e829a3ff0477f65 Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Mon, 4 Nov 2019 20:20:28 -0500
+Subject: [PATCH 1/1] update Barbican admin secret's user/project IDs during
+ bootstrap
+
+In a DC system when subcloud is managed, keystone user/project IDs are
+synced with Central Cloud, including admin user and project. But the
+admin's secrets in Barbian still use the original user/project IDs,
+causing docker registry access failure when platform-integ-apps is
+reapplied.
+
+This updated keystone admin user/project IDs to be the same as Central
+Cloud right after keystone is bootstrapped during subcloud deployment.
+This way any referece to admin user/project IDs after bootstrap will be
+using the IDs same as Central Cloud, including the ones in Barbican.
+This will solve the problem of registry access failure issue.
+
+Closes-Bug: 1851247
+Signed-off-by: Andy Ning <andy.ning@windriver.com>
+---
+ manifests/init.pp | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/manifests/init.pp b/manifests/init.pp
+index 7bb0094..421259c 100644
+--- a/manifests/init.pp
++++ b/manifests/init.pp
+@@ -791,6 +791,8 @@ class keystone(
+   $rabbit_port                          = $::os_service_default,
+   $rabbit_userid                        = $::os_service_default,
+   $rabbit_virtual_host                  = $::os_service_default,
++  $dc_admin_user_id                     = undef,
++  $dc_admin_project_id                  = undef,
+ ) inherits keystone::params {
+
+   include ::keystone::deps
+@@ -1311,6 +1313,22 @@ running as a standalone service, or httpd for being run by a httpd server")
+       subscribe   => Anchor['keystone::dbsync::end'],
+       tag         => 'keystone-exec',
+     }
++
++    if $dc_admin_user_id and $dc_admin_project_id {
++      exec { 'update keystone admin assignment actor_id':
++        command     => "sudo -u postgres psql -d keystone -c \"update public.assignment set actor_id='$dc_admin_user_id' from public.local_user where public.assignment.actor_id=public.local_user.user_id and public.local_user.name='admin'\"",
++        require     => Exec['keystone-manage bootstrap'],
++      }
++      -> exec { 'update keystone admin assignment target_id':
++        command     => "sudo -u postgres psql -d keystone -c \"update public.assignment set target_id='$dc_admin_project_id' from public.project where public.assignment.target_id=public.project.id and public.project.name='admin'\"",
++      }
++      -> exec { 'update keystone admin user id':
++        command     => "sudo -u postgres psql -d keystone -c \"update public.user set id='$dc_admin_user_id' from public.local_user where public.user.id=public.local_user.user_id and public.local_user.name='admin'\"",
++      }
++      -> exec { 'update keystone admin project id':
++        command     => "sudo -u postgres psql -d keystone -c \"update public.project set id='$dc_admin_project_id' where name='admin'\"",
++      }
++    }
+   }
+
+   # WRS: Now that the keystone service has started,
+--
+1.8.3.1
+