diff --git a/devstack/lib/common b/devstack/lib/common index c972f69b..553f53e9 100644 --- a/devstack/lib/common +++ b/devstack/lib/common @@ -44,6 +44,13 @@ function kubernetes_rollout_restart { kubectl rollout restart $resource } +function kubernetes_ensure_resource { + local resource="$1" + for i in {1..60}; do + kubectl get $resource && break || sleep 3; + done +} + function proxy_pass_to_kubernetes { local url=$1 local svc=$2 diff --git a/devstack/lib/heat b/devstack/lib/heat index bed5dac6..2d0d6b9f 100644 --- a/devstack/lib/heat +++ b/devstack/lib/heat @@ -139,17 +139,21 @@ function configure_heat { iniset $HEAT_CONF DEFAULT deferred_auth_method $HEAT_DEFERRED_AUTH fi - - configure_auth_token_middleware $HEAT_CONF heat + kubernetes_ensure_resource secret/heat-application-credential + export HEAT_APPLICATION_CREDENTIAL_SECRET=$(get_data_from_secret heat-application-credential openstack secret) + export HEAT_APPLICATION_CREDENTIAL_ID=$(get_data_from_secret heat-application-credential openstack id) + iniset $HEAT_CONF keystone_authtoken auth_url $KEYSTONE_AUTH_URI_V3 + iniset $HEAT_CONF keystone_authtoken auth_type v3applicationcredential + iniset $HEAT_CONF keystone_authtoken application_credential_id $HEAT_APPLICATION_CREDENTIAL_ID + iniset $HEAT_CONF keystone_authtoken application_credential_secret $HEAT_APPLICATION_CREDENTIAL_SECRET # If HEAT_DEFERRED_AUTH is unset or explicitly set to trusts, configure # the section for the client plugin associated with the trustee if [ -z "$HEAT_DEFERRED_AUTH" -o "trusts" == "$HEAT_DEFERRED_AUTH" ]; then - iniset $HEAT_CONF trustee auth_type password + iniset $HEAT_CONF trustee auth_type v3applicationcredential iniset $HEAT_CONF trustee auth_url $KEYSTONE_AUTH_URI_V3 - iniset $HEAT_CONF trustee username $HEAT_TRUSTEE_USER - iniset $HEAT_CONF trustee password $HEAT_TRUSTEE_PASSWORD - iniset $HEAT_CONF trustee user_domain_id $HEAT_TRUSTEE_DOMAIN + iniset $HEAT_CONF trustee application_credential_id $HEAT_APPLICATION_CREDENTIAL_ID + iniset $HEAT_CONF trustee application_credential_secret $HEAT_APPLICATION_CREDENTIAL_SECRET fi # clients_keystone @@ -261,14 +265,6 @@ function stop_heat { function create_heat_accounts { if [[ "$HEAT_STANDALONE" != "True" ]]; then - local heat_api_service_url - local heat_cfn_api_service_url - - heat_api_service_url="$SERVICE_PROTOCOL://$HEAT_API_HOST/heat-api/v1/\$(project_id)s" - heat_cfn_api_service_url="$SERVICE_PROTOCOL://$HEAT_API_CFN_HOST/heat-api-cfn/v1" - - create_service_user "heat" "admin" - # heat_stack_user role is for users created by Heat get_or_create_role "heat_stack_user" fi @@ -316,6 +312,7 @@ function configure_tempest_for_heat { source $TOP_DIR/openrc admin admin iniset $TEMPEST_CONFIG heat_plugin admin_username $OS_USERNAME iniset $TEMPEST_CONFIG heat_plugin admin_password $OS_PASSWORD + if [[ -e /etc/ci/mirror_info.sh ]]; then source /etc/ci/mirror_info.sh fi diff --git a/openstack_operator/heat.py b/openstack_operator/heat.py index 5b32faaa..22c2e220 100644 --- a/openstack_operator/heat.py +++ b/openstack_operator/heat.py @@ -70,6 +70,9 @@ def create_or_resume(name, spec, **_): api_url = spec["ingress"]["host"]["api"] cfn_url = spec["ingress"]["host"]["api-cfn"] + # Create application credential + identity.ensure_application_credential(name="heat") + # Create service and endpoints identity.ensure_service(name="heat-api", service_type="orchestration", url=api_url, path="/v1/$(project_id)s", diff --git a/zuul.d/functional-jobs.yaml b/zuul.d/functional-jobs.yaml index fc550fd5..55d72f3c 100644 --- a/zuul.d/functional-jobs.yaml +++ b/zuul.d/functional-jobs.yaml @@ -19,6 +19,11 @@ - name: controller label: ubuntu-bionic-expanded-vexxhost vars: + devstack_local_conf: + test-config: + $TEMPEST_CONFIG: + identity-feature-enabled: + application_credentials: true devstack_services: etcd3: false horizon: true