#!/bin/bash # # Copyright 2020 VEXXHOST, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # install_keystone() - Collect source and prepare function install_keystone { echo "Both installation and startup are included in the deployment of keystone crd." } export -f install_keystone # init_keystone() - Initialize databases, etc. function init_keystone { # NOTE(mnaser): Permissions here are bad but it's temporary so we don't care as much. sudo chmod -Rv 777 /etc/keystone if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then # (Re)create keystone database recreate_database keystone fi # DB sync time_start "dbsync" sudo docker run -v /etc/keystone:/etc/keystone vexxhost/keystone:latest keystone-manage --config-file $KEYSTONE_CONF db_sync time_stop "dbsync" # Get fernet keys if [[ "$KEYSTONE_TOKEN_FORMAT" == "fernet" ]]; then rm -rf "$KEYSTONE_CONF_DIR/fernet-keys/" mkdir "$KEYSTONE_CONF_DIR/fernet-keys/" sudo chmod -Rv 777 "$KEYSTONE_CONF_DIR/fernet-keys/" sudo docker run -v /etc/keystone:/etc/keystone vexxhost/keystone:latest keystone-manage --config-file $KEYSTONE_CONF fernet_setup --keystone-user 65534 --keystone-group 65534 fi # Get credential keys rm -rf "$KEYSTONE_CONF_DIR/credential-keys/" sudo docker run -v /etc/keystone:/etc/keystone vexxhost/keystone:latest keystone-manage --config-file $KEYSTONE_CONF credential_setup --keystone-user 65534 --keystone-group 65534 } export -f init_keystone # start_keystone() - Start running processes function start_keystone { # rollout keystone kubernetes_rollout_restart keystone kubernetes_rollout_status keystone # Get right service port for testing local service_port=$KEYSTONE_SERVICE_PORT local auth_protocol=$KEYSTONE_AUTH_PROTOCOL if is_service_enabled tls-proxy; then service_port=$KEYSTONE_SERVICE_PORT_INT auth_protocol="http" fi proxy_pass_to_kubernetes /identity keystone keystone-devstack echo "Waiting for keystone to start..." # Check that the keystone service is running. Even if the tls tunnel # should be enabled, make sure the internal port is checked using # unencryted traffic at this point. # If running in Apache, use the path rather than port. local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then die $LINENO "keystone did not start" fi # Start proxies if enabled if is_service_enabled tls-proxy; then start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT fi # (re)start memcached to make sure we have a clean memcache. kubectl rollout restart statefulset/memcached-devstack -n default } export -f start_keystone # bootstrap_keystone() - Initialize user, role and project # This function uses the following GLOBAL variables: # - ``KEYSTONE_BIN_DIR`` # - ``ADMIN_PASSWORD`` # - ``IDENTITY_API_VERSION`` # - ``KEYSTONE_AUTH_URI`` # - ``REGION_NAME`` # - ``KEYSTONE_SERVICE_PROTOCOL`` # - ``KEYSTONE_SERVICE_HOST`` # - ``KEYSTONE_SERVICE_PORT`` function bootstrap_keystone { kubectl exec deploy/keystone -- keystone-manage bootstrap \ --bootstrap-username admin \ --bootstrap-password "$ADMIN_PASSWORD" \ --bootstrap-project-name admin \ --bootstrap-role-name admin \ --bootstrap-service-name keystone \ --bootstrap-region-id "$REGION_NAME" \ --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \ --bootstrap-public-url "$KEYSTONE_SERVICE_URI" } export -f bootstrap_keystone