Fix Magnum trustee issues
This patch set fixes all Magnum issues in kolla master. The [trust] section set to magnum.conf using created trustee domain and user for Magnum in ansible/roles/magnum/tasks/register.yml using ansible openstack modules. Bump shade to 1.5.0 in kolla-toolbox because of os_user_role ansible module dependency. Certificate storage is changed from 'local' (non-production) to magnum's internal storage (x509keypair) or barbican. Co-Authored-By: Martin Matyas <martinx.maty@intel.com> Change-Id: Ifcb016c0bc4c8c3fc20e063fa05dc8838aae838c Closes-Bug: #1551992
This commit is contained in:
Vikram Hosakote
Martin Matyáš
parent
b32d7ce802
commit
3c45625197
@ -38,3 +38,55 @@
|
||||
retries: 10
|
||||
delay: 5
|
||||
run_once: True
|
||||
|
||||
- name: Creating Magnum trustee domain
|
||||
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||
-m os_keystone_domain
|
||||
-a "name=magnum
|
||||
description='Owns users and projects created by magnum'
|
||||
auth={{ '{{ openstack_magnum_auth }}' }}"
|
||||
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
|
||||
register: trustee_domain
|
||||
changed_when: "{{ trustee_domain.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||
until: trustee_domain.stdout.split()[2] == 'SUCCESS'
|
||||
retries: 10
|
||||
delay: 5
|
||||
run_once: True
|
||||
|
||||
- name: Setting Magnum trustee domain value
|
||||
set_fact:
|
||||
magnum_trustee_domain_id: "{{ (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).id }}"
|
||||
|
||||
- name: Creating Magnum trustee user
|
||||
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||
-m os_user
|
||||
-a "name=magnum_trustee_domain_admin
|
||||
domain=magnum
|
||||
password={{ magnum_keystone_password }}
|
||||
auth={{ '{{ openstack_magnum_auth }}' }}"
|
||||
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
|
||||
register: trustee_user
|
||||
changed_when: "{{ trustee_user.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||
until: trustee_user.stdout.split()[2] == 'SUCCESS'
|
||||
retries: 10
|
||||
delay: 5
|
||||
run_once: True
|
||||
|
||||
- name: Setting Magnum trustee user value
|
||||
set_fact:
|
||||
magnum_trustee_domain_admin_id: "{{ (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).user.id }}"
|
||||
|
||||
- name: Creating Magnum trustee user role
|
||||
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
|
||||
-m os_user_role
|
||||
-a "domain={{ magnum_trustee_domain_id }}
|
||||
user={{ magnum_trustee_domain_admin_id }}
|
||||
role=admin
|
||||
auth={{ '{{ openstack_magnum_auth }}' }}"
|
||||
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
|
||||
register: magnum_user_role_result
|
||||
changed_when: "{{ magnum_user_role_result.stdout.find('localhost | SUCCESS => ') != -1 and (magnum_user_role_result.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
|
||||
until: magnum_user_role_result.stdout.split()[2] == 'SUCCESS'
|
||||
retries: 10
|
||||
delay: 5
|
||||
run_once: True
|
||||
|
||||
@ -20,5 +20,6 @@
|
||||
volumes:
|
||||
- "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro"
|
||||
- "/etc/localtime:/etc/localtime:ro"
|
||||
- "magnum:/var/lib/magnum/"
|
||||
- "kolla_logs:/var/log/kolla/"
|
||||
when: inventory_hostname in groups['magnum-conductor']
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
[DEFAULT]
|
||||
debug = {{ magnum_logging_debug }}
|
||||
|
||||
state_path = /var/lib/magnum
|
||||
log_dir = /var/log/kolla/magnum
|
||||
|
||||
transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||
@ -11,6 +11,9 @@ port = {{ magnum_api_port }}
|
||||
host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
|
||||
{% endif %}
|
||||
|
||||
[oslo_policy]
|
||||
policy_file = /etc/magnum/policy.json
|
||||
|
||||
[database]
|
||||
connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }}
|
||||
max_retries = -1
|
||||
@ -18,18 +21,24 @@ max_retries = -1
|
||||
[heat_client]
|
||||
region_name = {{ openstack_region_name }}
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
project_name = service
|
||||
username = {{ magnum_keystone_user }}
|
||||
password = {{ magnum_keystone_password }}
|
||||
[cinder_client]
|
||||
region_name = {{ openstack_region_name }}
|
||||
|
||||
[trustee]
|
||||
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||
[barbican_client]
|
||||
region_name = {{ openstack_region_name }}
|
||||
|
||||
[keystone_auth]
|
||||
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
|
||||
user_domain_id = default
|
||||
project_domain_id = default
|
||||
project_name = service
|
||||
password = {{ magnum_keystone_password }}
|
||||
username = {{ magnum_keystone_user }}
|
||||
auth_type = password
|
||||
|
||||
[keystone_authtoken]
|
||||
auth_version = v3
|
||||
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
|
||||
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
@ -42,6 +51,17 @@ memcache_security_strategy = ENCRYPT
|
||||
memcache_secret_key = {{ memcache_secret_key }}
|
||||
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||
|
||||
[trust]
|
||||
trustee_domain_admin_password = {{ magnum_keystone_password }}
|
||||
trustee_domain_admin_id = {{ magnum_trustee_domain_admin_id }}
|
||||
trustee_domain_id = {{ magnum_trustee_domain_id}}
|
||||
|
||||
[oslo_concurrency]
|
||||
lock_path = /var/lib/magnum/tmp
|
||||
|
||||
[certificates]
|
||||
{% if enable_barbican | bool %}
|
||||
cert_manager_type = barbican
|
||||
{% else %}
|
||||
cert_manager_type = x509keypair
|
||||
{% endif %}
|
||||
|
||||
@ -57,7 +57,7 @@ RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \
|
||||
MySQL-python \
|
||||
os-client-config==1.16.0 \
|
||||
pyudev \
|
||||
shade==1.4.0
|
||||
shade==1.5.0
|
||||
|
||||
RUN useradd -m --user-group ansible --groups kolla \
|
||||
&& mkdir -p /etc/ansible /usr/share/ansible \
|
||||
|
||||
@ -21,9 +21,9 @@ ADD magnum-base-archive /magnum-base-source
|
||||
RUN ln -s magnum-base-source/* magnum \
|
||||
&& useradd --user-group magnum \
|
||||
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
|
||||
&& mkdir -p /etc/magnum /home/magnum \
|
||||
&& mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
|
||||
&& cp -r /magnum/etc/magnum/* /etc/magnum \
|
||||
&& chown -R magnum: /etc/magnum /home/magnum
|
||||
&& chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user