Merge "Create keystone config secret in operator"

devstack/lib/keystone

@@ -16,110 +16,18 @@
 
 # install_keystone() - Collect source and prepare
 function install_keystone {
-	echo "Both installation and startup are included in the deployment of keystone crd."
+	echo noop
 }
 export -f install_keystone
 
 # configure_keystone() - Set config files, create data dirs, etc
 function configure_keystone {
-    sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR
+    echo noop
-
-    if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
-        install -m 600 /dev/null $KEYSTONE_CONF
-    fi
-    # Populate ``keystone.conf``
-    if is_service_enabled ldap; then
-        iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
-        iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
-    fi
-    iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
-    iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
-    iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
-    iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
-    iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"
-
-    # Enable caching
-    iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE
-    iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND
-    iniset $KEYSTONE_CONF cache memcache_servers "mcrouter-memcached-keystone:11211"
-
-    iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
-
-    local service_port=$KEYSTONE_SERVICE_PORT
-    local auth_port=$KEYSTONE_AUTH_PORT
-
-    if is_service_enabled tls-proxy; then
-        # Set the service ports for a proxy to take the originals
-        service_port=$KEYSTONE_SERVICE_PORT_INT
-        auth_port=$KEYSTONE_AUTH_PORT_INT
-    fi
-
-    # Override the endpoints advertised by keystone (the public_endpoint and
-    # admin_endpoint) so that clients use the correct endpoint. By default, the
-    # keystone server uses the public_port and admin_port which isn't going to
-    # work when you want to use a different port (in the case of proxy), or you
-    # don't want the port (in the case of putting keystone on a path in
-    # apache).
-    iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
-    iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
-
-    if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
-        iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
-    fi
-
-    # Get mysql password
-    KEYSTONE_DATABASE_USER=$(get_data_from_secret keystone-mysql openstack USER)
-    KEYSTONE_DATABASE_PASSWORD=$(get_data_from_secret keystone-mysql openstack PASSWORD)
-    KEYSTONE_DATABASE_NAME=$(get_data_from_secret keystone-mysql openstack DATABASE)
-    iniset $KEYSTONE_CONF database connection "mysql+pymysql://$KEYSTONE_DATABASE_USER:$KEYSTONE_DATABASE_PASSWORD@keystone-mysql/$KEYSTONE_DATABASE_NAME?charset=utf8"
-
-    # Set up logging
-    if [ "$SYSLOG" != "False" ]; then
-        iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
-    fi
-
-    # Format logging
-    setup_logging $KEYSTONE_CONF
-
-    iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
-
-    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
-        iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
-        _config_keystone_apache_wsgi
-    else # uwsgi
-        write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
-        write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
-    fi
-
-    iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
-
-    iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"
-
-    iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
-
-    # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
-    # The users from this project are globally admin as before, but it also
-    # allows policy changes in order to clarify the adminess scope.
-    #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
-    #iniset $KEYSTONE_CONF resource admin_project_name admin
-
-    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
-        iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
-        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
-        iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
-    fi
 }
 
 # init_keystone() - Initialize databases, etc.
 function init_keystone {
-    kubectl create secret generic keystone-config --from-file=/etc/keystone/keystone.conf -n openstack
+	echo noop
-	# NOTE(mnaser): Permissions here are bad but it's temporary so we don't care as much.
-	sudo chmod -Rv 777 /etc/keystone
-
-	if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
-		# (Re)create keystone database
-		recreate_database keystone
-	fi
 }
 export -f init_keystone
 
@@ -152,12 +60,6 @@ function start_keystone {
 		die $LINENO "keystone did not start"
 	fi
 
-	# Start proxies if enabled
-	if is_service_enabled tls-proxy; then
-		start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
-		start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
-	fi
-
 	# (re)start memcached to make sure we have a clean memcache.
 	kubectl rollout restart statefulset/memcached-keystone
 	sleep 10

openstack_operator/keystone.py

@@ -29,6 +29,7 @@ from openstack_operator import utils
 
 TOKEN_EXPIRATION = 86400
 FERNET_ROTATION_INTERVAL = 3600
+ACTIVE_KEYS = int(TOKEN_EXPIRATION / FERNET_ROTATION_INTERVAL)
 
 
 def _is_keystone_deployment(name, **_):
@@ -60,11 +61,8 @@ def create_or_rotate_fernet_repository(name):
     # Stage a new key
     data['0'] = fernet.Fernet.generate_key().decode('utf-8')
 
-    # Determine number of active keys
-    active_keys = int(TOKEN_EXPIRATION / FERNET_ROTATION_INTERVAL)
-
     # Determine the keys to keep and drop others
-    keys_to_keep = [0] + sorted_keys[-active_keys:]
+    keys_to_keep = [0] + sorted_keys[-ACTIVE_KEYS:]
     keys = {k: base64.b64encode(v.encode('utf-8')).decode('utf-8')
             for k, v in data.items() if int(k) in keys_to_keep}
 
@@ -109,12 +107,21 @@ def create_or_resume(name, spec, **_):
                            username=username)
     # (TODO)Replace the current admin url
 
+    # deploy mysql
     if "mysql" not in spec:
         spec["mysql"] = {}
-    database.ensure_mysql_cluster("keystone", spec["mysql"])
+    db_config = database.ensure_mysql_cluster("keystone", spec["mysql"])
 
+    # deploy memcached
     utils.create_or_update('keystone/memcached.yml.j2', spec=spec)
 
+    # keystone config
+    utils.create_or_update('keystone/secret-config.yml.j2',
+                           password=db_config["PASSWORD"],
+                           TOKEN_EXPIRATION=TOKEN_EXPIRATION,
+                           ACTIVE_KEYS=ACTIVE_KEYS)
+
+    # deploy keystone
     utils.create_or_update('keystone/daemonset.yml.j2',
                            name=name, spec=spec,
                            config_hash=config_hash)

openstack_operator/templates/keystone/secret-config.yml.j2

@@ -0,0 +1,32 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-config
+  namespace: openstack
+stringData:
+  keystone.conf: |
+    [cache]
+    enabled=true
+    backend = dogpile.cache.memcached
+    memcache_servers=mcrouter-memcached-keystone
+    [database]
+    connection="mysql+pymysql://keystone:{{ password }}@keystone-mysql:3306/keystone?charset=utf8"
+    [fernet_tokens]
+    max_active_keys = {{ ACTIVE_KEYS }}
+    [token]
+    expiration = {{ TOKEN_EXPIRATION }}