vexxhost/openstack-operator
Code Issues Proposed changes

Add memcached to keystone

Browse Source 
Change-Id: I52e1a9e41748e14675fbd9987760ef04cfe97cde
This commit is contained in:
okozachenko
2020-07-24 19:45:43 +03:00
parent 5f0ad47923
commit fb5f130a28
3 changed files with 120 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
devstack/lib/keystone
View File

@@ -20,6 +20,92 @@ function install_keystone {
}
export -f install_keystone
# configure_keystone() - Set config files, create data dirs, etc
function configure_keystone {
sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR
if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
install -m 600 /dev/null $KEYSTONE_CONF
fi
# Populate ``keystone.conf``
if is_service_enabled ldap; then
iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
fi
iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"
# Enable caching
iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE
iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND
iniset $KEYSTONE_CONF cache memcache_servers "mcrouter-memcached-keystone:11211"
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
if is_service_enabled tls-proxy; then
# Set the service ports for a proxy to take the originals
service_port=$KEYSTONE_SERVICE_PORT_INT
auth_port=$KEYSTONE_AUTH_PORT_INT
fi
# Override the endpoints advertised by keystone (the public_endpoint and
# admin_endpoint) so that clients use the correct endpoint. By default, the
# keystone server uses the public_port and admin_port which isn't going to
# work when you want to use a different port (in the case of proxy), or you
# don't want the port (in the case of putting keystone on a path in
# apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
fi
iniset $KEYSTONE_CONF database connection `database_connection_url keystone`
# Set up logging
if [ "$SYSLOG" != "False" ]; then
iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
fi
# Format logging
setup_logging $KEYSTONE_CONF
iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
_config_keystone_apache_wsgi
else # uwsgi
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
# Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
# The users from this project are globally admin as before, but it also
# allows policy changes in order to clarify the adminess scope.
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default
#iniset $KEYSTONE_CONF resource admin_project_name admin
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
}
# init_keystone() - Initialize databases, etc.
function init_keystone {
kubectl create secret generic keystone-config --from-file=/etc/keystone/keystone.conf -n openstack
@@ -70,7 +156,7 @@ function start_keystone {
fi
# (re)start memcached to make sure we have a clean memcache.
kubectl rollout restart statefulset/memcached-devstack -n default
kubectl rollout restart statefulset/memcached-keystone
sleep 10
}
export -f start_keystone

1
openstack_operator/keystone.py
View File

@@ -110,6 +110,7 @@ def create_or_resume(name, spec, **_):
utils.create_or_update('keystone/daemonset.yml.j2',
name=name, spec=spec,
config_hash=config_hash)
utils.create_or_update('keystone/memcached.yml.j2', spec=spec)
utils.create_or_update('keystone/service.yml.j2',
name=name, spec=spec)
if "ingress" in spec:

32
openstack_operator/templates/keystone/memcached.yml.j2 Normal file
View File

@@ -0,0 +1,32 @@
---
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: infrastructure.vexxhost.cloud/v1alpha1
kind: Memcached
metadata:
name: keystone
namespace: openstack
labels:
{{ labels("keystone") | indent(4) }}
spec:
megabytes: 128
{% if 'nodeSelector' in spec %}
nodeSelector:
{{ spec.nodeSelector | to_yaml | indent(4) }}
{% endif %}
{% if 'tolerations' in spec %}
tolerations:
{{ spec.tolerations | to_yaml | indent(4) }}
{% endif %}