Set up endpoint groups for distributed keystone

This commit sets up Endpoint groups in SystemController and RegionOne regions via Keystone Puppet manifest Story: 2002842 Task: 22785 Change-Id: I9a61dd4dd2ae18b00a7ea3ad2f0e6dc52cf0c348 Signed-off-by: Jack Ding <jack.ding@windriver.com>
2018-06-05 12:45:00 -04:00 · 2018-06-05 12:45:00 -04:00 · 7fffc6432f
commit 7fffc6432f
parent 49041ff8a9
8 changed files with 105 additions and 3 deletions
--- a/puppet-manifests/src/hieradata/controller.yaml
+++ b/puppet-manifests/src/hieradata/controller.yaml
@ -176,6 +176,7 @@ keystone::log_file: /dev/null
 keystone::endpoint::default_domain: 'Default'
 keystone::endpoint::version: 'v3'
 keystone::endpoint::region: 'RegionOne'
+keystone::endpoint::system_controller_region: 'SystemController'
 keystone::endpoint::admin_url: 'http://127.0.0.1:5000'

 keystone::ldap::identity_driver: 'sql'
--- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp
+++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp
@ -6,6 +6,7 @@ class openstack::keystone::params(
  $auth_uri,
  $host_url,
  $region_name = undef,
+  $system_controller_region = undef,
  $service_name = 'openstack-keystone',
  $token_expiration = 3600,
  $service_create = false,
@ -157,6 +158,7 @@ class openstack::keystone::api
  if ($::openstack::keystone::params::service_create and
      $::platform::params::init_keystone) {
    include ::keystone::endpoint
+    include ::openstack::keystone::endpointgroup

    # Cleanup the endpoints created at bootstrap if they are not in
    # the subcloud region.
@ -251,6 +253,60 @@ class openstack::keystone::reload {
 }


+class openstack::keystone::endpointgroup
+  inherits ::openstack::keystone::params {
+  include ::platform::params
+  include ::openstack::client
+
+  # $::platform::params::init_keystone should be checked by the caller.
+  # as this class should be only invoked when initializing keystone.
+  # i.e. is_initial_config_primary is true is expected.
+
+  if ($::platform::params::distributed_cloud_role =='systemcontroller') {
+    $reference_region = $::openstack::keystone::params::region_name
+    $system_controller_region = $::openstack::keystone::params::system_controller_region
+    $os_username = $::openstack::client::params::admin_username
+    $identity_region = $::openstack::client::params::identity_region
+    $keystone_region = $::openstack::client::params::keystone_identity_region
+    $keyring_file = $::openstack::client::credentials::params::keyring_file
+    $auth_url = $::openstack::client::params::identity_auth_url
+    $os_project_name = $::openstack::client::params::admin_project_name
+    $api_version = 3
+
+    file { "/etc/keystone/keystone-${reference_region}-filter.conf":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'keystone',
+      mode    => '0640',
+      content => template('openstack/keystone-defaultregion-filter.erb'),
+    } ->
+    file { "/etc/keystone/keystone-${system_controller_region}-filter.conf":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'keystone',
+      mode    => '0640',
+      content => template('openstack/keystone-systemcontroller-filter.erb'),
+    } ->
+    exec { 'endpointgroup-${reference_region}-command':
+      cwd => '/etc/keystone',
+      logoutput => true,
+      provider => shell,
+      require => [ Class['openstack::keystone::api'], Class['::keystone::endpoint'] ],
+      command => template('openstack/keystone-defaultregion.erb'),
+      path =>  ['/usr/bin/', '/bin/', '/sbin/', '/usr/sbin/'],
+    }  ->
+    exec { 'endpointgroup-${system_controller_region}-command':
+      cwd => '/etc/keystone',
+      logoutput => true,
+      provider => shell,
+      require => [ Class['openstack::keystone::api'], Class['::keystone::endpoint'] ],
+      command => template('openstack/keystone-systemcontroller.erb'),
+      path =>  ['/usr/bin/', '/bin/', '/sbin/', '/usr/sbin/'],
+    }
+  }
+}
+
+
 class openstack::keystone::server::runtime {
  include ::openstack::client
  include ::openstack::keystone
@ -383,9 +439,8 @@ class openstack::keystone::upgrade (
      sync_db             => false,
      default_domain      => undef,
      default_transport_url   => $::platform::amqp::params::transport_url,
-    } 
+    }

-    
    # Add service account and endpoints for any new R6 services...
    # include ::<new service>::keystone::auth
    # No new services yet...
--- a/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion-filter.erb
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion-filter.erb
@ -0,0 +1,3 @@
+{
+  "region_id": "<%=@reference_region %>"
+}
--- a/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion.erb
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-defaultregion.erb
@ -0,0 +1,19 @@
+PASSWORD=$(TERM=linux <%= @keyring_file %> 2>/dev/null)
+ENDPOINTGROUP_ID=$(openstack endpoint group create \
+distributed_cloud_<%=@reference_region %> \
+keystone-<%=@reference_region %>-filter.conf \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %> | awk '/id\ \ / { print $4 }' )
+openstack endpoint group add project $ENDPOINTGROUP_ID services \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %>
--- a/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller-filter.erb
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller-filter.erb
@ -0,0 +1,3 @@
+{
+  "region_id": "<%=@system_controller_region %>"
+}
--- a/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller.erb
+++ b/puppet-manifests/src/modules/openstack/templates/keystone-systemcontroller.erb
@ -0,0 +1,19 @@
+PASSWORD=$(TERM=linux <%= @keyring_file %> 2>/dev/null)
+ENDPOINTGROUP_ID=$(openstack endpoint group create \
+distributed_cloud_<%=@system_controller_region %> \
+keystone-<%=@system_controller_region %>-filter.conf \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %> | awk '/id\ \ / { print $4 }' )
+openstack endpoint group add project $ENDPOINTGROUP_ID services \
+  --os-username <%=@os_username %> \
+  --os-password $PASSWORD \
+  --os-region-name <%=@identity_region %> \
+  --os-keystone-region-name <%=@keystone_region %> \
+  --os-auth-url <%=@auth_url %> \
+  --os-identity-api-version <%=@api_version %> \
+  --os-project-name <%=@os_project_name %>
--- a/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp
+++ b/puppet-modules-wrs/puppet-dcmanager/src/dcmanager/manifests/keystone/auth.pp
@ -17,7 +17,7 @@ class dcmanager::keystone::auth (
  $auth_name            = 'dcmanager',
  $auth_domain,
  $email                = 'dcmanager@localhost',
-  $tenant               = 'services',
+  $tenant               = 'admin',
  $region               = 'SystemController',
  $service_description  = 'DCManagerService',
  $service_name         = undef,
--- a/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
+++ b/sysinv/sysinv/sysinv/sysinv/puppet/keystone.py
@ -117,6 +117,8 @@ class KeystonePuppet(openstack.OpenstackBasePuppet):
            # system resides
            'openstack::keystone::params::region_name':
                self._identity_specific_region_name(),
+            'openstack::keystone::params::system_controller_region':
+                constants.SYSTEM_CONTROLLER_REGION,
            'openstack::keystone::params::service_create':
                self._to_create_services(),