From f3f6f19c4e72523144574e431a4a269893ba5e02 Mon Sep 17 00:00:00 2001 From: okozachenko Date: Mon, 10 Aug 2020 17:29:17 +0300 Subject: [PATCH] Add applicationcredentials CR Change-Id: I4316bdd0ecb0d083ad0023bc8ad634773b0b7acf --- ...y.openstack.org_applicationcredential.yaml | 24 ++++++ chart/templates/clusterrole.yaml | 2 + chart/templates/deployment.yaml | 2 + devstack/lib/keystone | 35 ++++----- openstack_operator/identity.py | 8 ++ openstack_operator/objects.py | 9 +++ .../identity/applicationcredential.py | 77 +++++++++++++++++++ .../identity/applicationcredential.yml.j2 | 19 +++++ .../secret-applicationcredential.yml.j2 | 23 ++++++ 9 files changed, 181 insertions(+), 18 deletions(-) create mode 100644 chart/crds/identity.openstack.org_applicationcredential.yaml create mode 100644 openstack_operator/openstack/identity/applicationcredential.py create mode 100644 openstack_operator/templates/identity/applicationcredential.yml.j2 create mode 100644 openstack_operator/templates/identity/secret-applicationcredential.yml.j2 diff --git a/chart/crds/identity.openstack.org_applicationcredential.yaml b/chart/crds/identity.openstack.org_applicationcredential.yaml new file mode 100644 index 00000000..6eb7ec8d --- /dev/null +++ b/chart/crds/identity.openstack.org_applicationcredential.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: applicationcredentials.identity.openstack.org +spec: + group: identity.openstack.org + names: + kind: ApplicationCredential + listKind: ApplicationCredentialList + plural: applicationcredentials + singular: applicationcredential + scope: Cluster + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml index 93ced890..76706cbf 100644 --- a/chart/templates/clusterrole.yaml +++ b/chart/templates/clusterrole.yaml @@ -127,6 +127,7 @@ rules: - apiGroups: - identity.openstack.org resources: + - applicationcredentials - services - keystones - endpoints @@ -141,6 +142,7 @@ rules: - apiGroups: - identity.openstack.org resources: + - applicationcredentials/status - services/status - keystones/status - endpoints/status diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index f25c3cf5..b14db0f4 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -44,6 +44,8 @@ spec: - -m - openstack_operator.memcached - -m + - openstack_operator.openstack.identity.applicationcredential + - -m - openstack_operator.openstack.identity.endpoints - -m - openstack_operator.openstack.identity.services diff --git a/devstack/lib/keystone b/devstack/lib/keystone index 7c7834ec..a832d42d 100644 --- a/devstack/lib/keystone +++ b/devstack/lib/keystone @@ -16,24 +16,6 @@ # install_keystone() - Collect source and prepare function install_keystone { - echo noop -} -export -f install_keystone - -# configure_keystone() - Set config files, create data dirs, etc -function configure_keystone { - echo noop -} - -# init_keystone() - Initialize databases, etc. -function init_keystone { - echo noop -} -export -f init_keystone - -# start_keystone() - Start running processes -function start_keystone { - # rollout keystone kubernetes_rollout_restart daemonset/keystone kubernetes_rollout_status daemonset/keystone @@ -60,6 +42,23 @@ function start_keystone { die $LINENO "keystone did not start" fi } +export -f install_keystone + +# configure_keystone() - Set config files, create data dirs, etc +function configure_keystone { + echo noop +} + +# init_keystone() - Initialize databases, etc. +function init_keystone { + echo noop +} +export -f init_keystone + +# start_keystone() - Start running processes +function start_keystone { + echo noop +} export -f start_keystone # bootstrap_keystone() - Initialize user, role and project diff --git a/openstack_operator/identity.py b/openstack_operator/identity.py index 38e99007..5a7088a1 100644 --- a/openstack_operator/identity.py +++ b/openstack_operator/identity.py @@ -46,3 +46,11 @@ def ensure_service(name, service_type, desc, url=None, path=""): utils.create_or_update('identity/endpoint.yml.j2', service=service_type, interface='public', url=public_url) + + +def ensure_application_credential(name): + """Create or update applicationcredentials + """ + + utils.create_or_update('identity/applicationcredential.yml.j2', + name=name) diff --git a/openstack_operator/objects.py b/openstack_operator/objects.py index 172d3162..73366419 100644 --- a/openstack_operator/objects.py +++ b/openstack_operator/objects.py @@ -37,6 +37,14 @@ from pykube.objects import Service from pykube.objects import StatefulSet +class IdentityApplicationCredential(APIObject): + """ApplicationCredential Kubernetes object""" + + version = "identity.openstack.org/v1alpha1" + endpoint = "applicationcredentials" + kind = "ApplicationCredential" + + class IdentityService(APIObject): """Service Kubernetes object""" @@ -124,6 +132,7 @@ MAPPING = { "Ingress": Ingress }, "identity.openstack.org/v1alpha1": { + "ApplicationCredential": IdentityApplicationCredential, "Service": IdentityService, "Endpoint": IdentityEndpoint }, diff --git a/openstack_operator/openstack/identity/applicationcredential.py b/openstack_operator/openstack/identity/applicationcredential.py new file mode 100644 index 00000000..080e26c8 --- /dev/null +++ b/openstack_operator/openstack/identity/applicationcredential.py @@ -0,0 +1,77 @@ +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Application Credential Operator + +This operator helps manage the creation and removal of application +credential inside Keystone using custom resources. +""" + +import kopf +from openstack_operator import utils + + +def _get_admin_user_id(): + """Get admin user id""" + + conn = utils.get_openstack_connection() + user_name = conn.config.auth["username"] + domain_id = conn.config.auth["user_domain_id"] + user = conn.get_user(name_or_id=user_name, domain_id=domain_id) + return user.id + + +@kopf.on.resume('identity.openstack.org', 'v1alpha1', 'applicationcredentials') +@kopf.on.create('identity.openstack.org', 'v1alpha1', 'applicationcredentials') +def create_or_resume(name, **_): + """Create or resume controller + + This function runs when a new resource is created or when the + controller is first started. It creates or updates the appropriate + applicationcredential.""" + + identity = utils.get_openstack_connection().identity + + user = _get_admin_user_id() + credential = \ + identity.find_application_credential(user=user, name_or_id=name) + + if credential is None: + credential = \ + identity.create_application_credential(user=user, name=name) + utils.create_or_update( + 'identity/secret-applicationcredential.yml.j2', + name=name, secret=credential.secret, + id=credential.id, adopt=True) + + +@kopf.on.delete('identity.openstack.org', 'v1alpha1', 'applicationcredentials') +def delete(name, **_): + """Delete an endpoint + + This function runs when the applicationcredential CR is deleted and + removes the record from Keystone. + """ + + identity = utils.get_openstack_connection().identity + + user = _get_admin_user_id() + credential = \ + identity.find_application_credential(user=user, name_or_id=name) + + if credential is None: + return + + identity.delete_application_credential(user=user, + application_credential=name) diff --git a/openstack_operator/templates/identity/applicationcredential.yml.j2 b/openstack_operator/templates/identity/applicationcredential.yml.j2 new file mode 100644 index 00000000..4d5aef40 --- /dev/null +++ b/openstack_operator/templates/identity/applicationcredential.yml.j2 @@ -0,0 +1,19 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: identity.openstack.org/v1alpha1 +kind: ApplicationCredential +metadata: + name: {{ name }} diff --git a/openstack_operator/templates/identity/secret-applicationcredential.yml.j2 b/openstack_operator/templates/identity/secret-applicationcredential.yml.j2 new file mode 100644 index 00000000..d97d475d --- /dev/null +++ b/openstack_operator/templates/identity/secret-applicationcredential.yml.j2 @@ -0,0 +1,23 @@ +--- +# Copyright 2020 VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +metadata: + name: {{ name }}-application-credential + namespace: openstack +stringData: + id: {{ id }} + secret: {{ secret }} +kind: Secret