Fix Magnum trustee issues

This patch set fixes all Magnum issues in kolla master.

The [trust] section set to magnum.conf
using created trustee domain and user for Magnum
in ansible/roles/magnum/tasks/register.yml using ansible
openstack modules.

Bump shade to 1.5.0 in kolla-toolbox because of
os_user_role ansible module dependency.

Certificate storage is changed from 'local' (non-production)
to magnum's internal storage (x509keypair) or barbican.

Co-Authored-By: Martin Matyas <martinx.maty@intel.com>
Change-Id: Ifcb016c0bc4c8c3fc20e063fa05dc8838aae838c
Closes-Bug: #1551992

ansible/roles/magnum/tasks/register.yml

@@ -38,3 +38,55 @@
   retries: 10
   delay: 5
   run_once: True
+
+- name: Creating Magnum trustee domain
+  command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+    -m os_keystone_domain
+    -a "name=magnum
+        description='Owns users and projects created by magnum'
+        auth={{ '{{ openstack_magnum_auth }}' }}"
+    -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+  register: trustee_domain
+  changed_when: "{{ trustee_domain.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: trustee_domain.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
+  run_once: True
+
+- name: Setting Magnum trustee domain value
+  set_fact:
+    magnum_trustee_domain_id: "{{ (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).id }}"
+
+- name: Creating Magnum trustee user
+  command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+    -m os_user
+    -a "name=magnum_trustee_domain_admin
+        domain=magnum
+        password={{ magnum_keystone_password }}
+        auth={{ '{{ openstack_magnum_auth }}' }}"
+    -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+  register: trustee_user
+  changed_when: "{{ trustee_user.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: trustee_user.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
+  run_once: True
+
+- name: Setting Magnum trustee user value
+  set_fact:
+    magnum_trustee_domain_admin_id: "{{ (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).user.id }}"
+
+- name: Creating Magnum trustee user role
+  command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+    -m os_user_role
+    -a "domain={{ magnum_trustee_domain_id }}
+        user={{ magnum_trustee_domain_admin_id }}
+        role=admin
+        auth={{ '{{ openstack_magnum_auth }}' }}"
+    -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+  register: magnum_user_role_result
+  changed_when: "{{ magnum_user_role_result.stdout.find('localhost | SUCCESS => ') != -1 and (magnum_user_role_result.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: magnum_user_role_result.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
+  run_once: True

ansible/roles/magnum/tasks/start.yml

@@ -20,5 +20,6 @@
     volumes:
       - "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro"
       - "/etc/localtime:/etc/localtime:ro"
+      - "magnum:/var/lib/magnum/"
       - "kolla_logs:/var/log/kolla/"
   when: inventory_hostname in groups['magnum-conductor']

ansible/roles/magnum/templates/magnum.conf.j2

@@ -1,6 +1,6 @@
 [DEFAULT]
 debug = {{ magnum_logging_debug }}
-
+state_path = /var/lib/magnum
 log_dir = /var/log/kolla/magnum
 
 transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
@@ -11,6 +11,9 @@ port = {{ magnum_api_port }}
 host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 {% endif %}
 
+[oslo_policy]
+policy_file = /etc/magnum/policy.json
+
 [database]
 connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }}
 max_retries = -1
@@ -18,18 +21,24 @@ max_retries = -1
 [heat_client]
 region_name = {{ openstack_region_name }}
 
-[keystone_authtoken]
+[cinder_client]
-auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
+region_name = {{ openstack_region_name }}
-auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
-auth_type = password
-project_domain_id = default
-user_domain_id = default
-project_name = service
-username = {{ magnum_keystone_user }}
-password = {{ magnum_keystone_password }}
 
-[trustee]
+[barbican_client]
-auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
+region_name = {{ openstack_region_name }}
+
+[keystone_auth]
+auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
+user_domain_id = default
+project_domain_id = default
+project_name = service
+password = {{ magnum_keystone_password }}
+username = {{ magnum_keystone_user }}
+auth_type = password
+
+[keystone_authtoken]
+auth_version = v3
+auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
 auth_type = password
 project_domain_id = default
@@ -42,6 +51,17 @@ memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
+[trust]
+trustee_domain_admin_password = {{ magnum_keystone_password }}
+trustee_domain_admin_id = {{ magnum_trustee_domain_admin_id }}
+trustee_domain_id = {{ magnum_trustee_domain_id}}
 
 [oslo_concurrency]
 lock_path = /var/lib/magnum/tmp
+
+[certificates]
+{% if enable_barbican | bool %}
+cert_manager_type = barbican
+{% else %}
+cert_manager_type = x509keypair
+{% endif %}

docker/kolla-toolbox/Dockerfile.j2

@@ -57,7 +57,7 @@ RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \
         MySQL-python \
         os-client-config==1.16.0 \
         pyudev \
-        shade==1.4.0
+        shade==1.5.0
 
 RUN useradd -m --user-group ansible --groups kolla \
     && mkdir -p /etc/ansible /usr/share/ansible \

docker/magnum/magnum-base/Dockerfile.j2

@@ -21,9 +21,9 @@ ADD magnum-base-archive /magnum-base-source
 RUN ln -s magnum-base-source/* magnum \
     && useradd --user-group magnum \
     && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
-    && mkdir -p /etc/magnum /home/magnum \
+    && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
     && cp -r /magnum/etc/magnum/* /etc/magnum \
-    && chown -R magnum: /etc/magnum /home/magnum
+    && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
 
 {% endif %}