0004-Use-trust-for-tls-generation.patch 10.5 KB
From 54b862f3cec8503556ea856104817b38836810ab Mon Sep 17 00:00:00 2001
From: Hua Wang <wanghua.humble@gmail.com>
Date: Wed, 16 Mar 2016 19:32:16 +0800
Subject: [PATCH 4/8] Use trust for tls generation

Currently, we use the users auth token, which expires after a while.

We need to use a trust instead.

Change-Id: Ie18e6a1371871720fbfd4af0bd43e166075b0c6d
Closes-Bug: #1503863
Partially-Implements: blueprint use-trust-for-tls-cert-generation
---
 devstack/lib/magnum                                |  5 +++-
 .../kubernetes/fragments/make-cert-client.sh       | 31 ++++++++++++++++++++++
 magnum/templates/kubernetes/fragments/make-cert.sh | 31 ++++++++++++++++++++++
 .../fragments/write-heat-params-master.sh          |  5 +++-
 .../kubernetes/fragments/write-heat-params.yaml    |  4 +++
 magnum/templates/kubernetes/kubecluster.yaml       |  9 ++++++-
 magnum/templates/kubernetes/kubemaster.yaml        | 30 +++++++++++++++++----
 magnum/templates/kubernetes/kubeminion.yaml        | 25 +++++++++++++++++
 8 files changed, 132 insertions(+), 8 deletions(-)

diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index a7870da..366b2a3 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -145,7 +145,9 @@ function create_magnum_conf {
 
     configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
 
-    iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI/v3
+    iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3
+    iniset $MAGNUM_CONF keystone_authtoken auth_uri \
+           ${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3
     iniset $MAGNUM_CONF keystone_authtoken auth_version v3
 
     if is_fedora || is_suse; then
@@ -304,6 +306,7 @@ function configure_iptables {
         sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
         # bay nodes will access m-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
+        sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true
     fi
 }
 
diff --git a/magnum/templates/kubernetes/fragments/make-cert-client.sh b/magnum/templates/kubernetes/fragments/make-cert-client.sh
index 04f2794..b009ecd 100644
--- a/magnum/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert-client.sh
@@ -36,6 +36,37 @@ CLIENT_CERT=$cert_dir/client.crt
 CLIENT_CSR=$cert_dir/client.csr
 CLIENT_KEY=$cert_dir/client.key
 
+#Get a token by user credentials and trust
+cat > auth.json << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        },
+        "scope": {
+            "OS-TRUST:trust": {
+                "id": "$TRUST_ID"
+            }
+        }
+    }
+}
+EOF
+
+#trust is introduced in Keystone v3 version
+AUTH_URL=${AUTH_URL/v2.0/v3}
+USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+                 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
+
+rm -rf auth.json
+
 # Get CA certificate for this bay
 curl -X GET \
   -H "X-Auth-Token: $USER_TOKEN" \
diff --git a/magnum/templates/kubernetes/fragments/make-cert.sh b/magnum/templates/kubernetes/fragments/make-cert.sh
index d209fc4..6f5aa08 100644
--- a/magnum/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert.sh
@@ -43,6 +43,37 @@ SERVER_CERT=$cert_dir/server.crt
 SERVER_CSR=$cert_dir/server.csr
 SERVER_KEY=$cert_dir/server.key
 
+#Get a token by user credentials and trust
+cat > auth.json << EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "id": "$TRUSTEE_USER_ID",
+                    "password": "$TRUSTEE_PASSWORD"
+                }
+            }
+        },
+        "scope": {
+            "OS-TRUST:trust": {
+                "id": "$TRUST_ID"
+            }
+        }
+    }
+}
+EOF
+
+#trust is introduced in Keystone v3 version
+AUTH_URL=${AUTH_URL/v2.0/v3}
+USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
+                 $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
+
+rm -rf auth.json
+
 # Get CA certificate for this bay
 curl -X GET \
   -H "X-Auth-Token: $USER_TOKEN" \
diff --git a/magnum/templates/kubernetes/fragments/write-heat-params-master.sh b/magnum/templates/kubernetes/fragments/write-heat-params-master.sh
index 85ab66d..f91eaae 100644
--- a/magnum/templates/kubernetes/fragments/write-heat-params-master.sh
+++ b/magnum/templates/kubernetes/fragments/write-heat-params-master.sh
@@ -17,7 +17,6 @@ FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
 FLANNEL_USE_VXLAN="$FLANNEL_USE_VXLAN"
 PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
 ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
-AUTH_URL="$AUTH_URL"
 USERNAME="$USERNAME"
 PASSWORD="$PASSWORD"
 TENANT_NAME="$TENANT_NAME"
@@ -30,6 +29,10 @@ HTTP_PROXY="$HTTP_PROXY"
 HTTPS_PROXY="$HTTPS_PROXY"
 NO_PROXY="$NO_PROXY"
 WAIT_CURL="$WAIT_CURL"
+TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
+TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
+TRUST_ID="$TRUST_ID"
+AUTH_URL="$AUTH_URL"
 END
 
 chown root:root /etc/sysconfig/heat-params
diff --git a/magnum/templates/kubernetes/fragments/write-heat-params.yaml b/magnum/templates/kubernetes/fragments/write-heat-params.yaml
index 10d7ae3..23747ce 100644
--- a/magnum/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params.yaml
@@ -31,3 +31,7 @@ write_files:
       HTTPS_PROXY="$HTTPS_PROXY"
       NO_PROXY="$NO_PROXY"
       WAIT_CURL="$WAIT_CURL"
+      TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
+      TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
+      TRUST_ID="$TRUST_ID"
+      AUTH_URL="$AUTH_URL"
diff --git a/magnum/templates/kubernetes/kubecluster.yaml b/magnum/templates/kubernetes/kubecluster.yaml
index eb04cbc..ff7bd1d 100644
--- a/magnum/templates/kubernetes/kubecluster.yaml
+++ b/magnum/templates/kubernetes/kubecluster.yaml
@@ -311,7 +311,6 @@ resources:
           fixed_subnet: ""
           api_pool_id: ""
           etcd_pool_id: ""
-          auth_url: {get_param: auth_url}
           username: {get_param: username}
           password: {get_param: password}
           tenant_name: {get_param: tenant_name}
@@ -322,6 +321,10 @@ resources:
           http_proxy: {get_param: http_proxy}
           https_proxy: {get_param: https_proxy}
           no_proxy: {get_param: no_proxy}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
   ######################################################################
   #
@@ -371,6 +374,10 @@ resources:
           http_proxy: {get_param: http_proxy}
           https_proxy: {get_param: https_proxy}
           no_proxy: {get_param: no_proxy}
+          trustee_user_id: {get_param: trustee_user_id}
+          trustee_password: {get_param: trustee_password}
+          trust_id: {get_param: trust_id}
+          auth_url: {get_param: auth_url}
 
 outputs:
 
diff --git a/magnum/templates/kubernetes/kubemaster.yaml b/magnum/templates/kubernetes/kubemaster.yaml
index 9a2d0f5..59c86ff 100644
--- a/magnum/templates/kubernetes/kubemaster.yaml
+++ b/magnum/templates/kubernetes/kubemaster.yaml
@@ -126,10 +126,6 @@ parameters:
   etcd_pool_id:
     type: string
     description: ID of the load balancer pool of etcd server.
-  auth_url:
-    type: string
-    description: >
-      url for kubernetes to authenticate before sending request to neutron
   username:
     type: string
     description: >
@@ -155,6 +151,27 @@ parameters:
     description: no proxies for docker
     default: ""
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+    default: ""
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    default: ""
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    default: ""
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   master_wait_handle:
@@ -193,7 +210,6 @@ resources:
             "$FLANNEL_USE_VXLAN": {get_param: flannel_use_vxlan}
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
-            "$AUTH_URL": {get_param: auth_url}
             "$USERNAME": {get_param: username}
             "$PASSWORD": {get_param: password}
             "$TENANT_NAME": {get_param: tenant_name}
@@ -206,6 +222,10 @@ resources:
             "$HTTPS_PROXY": {get_param: https_proxy}
             "$NO_PROXY": {get_param: no_proxy}
             "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
+            "$TRUSTEE_USER_ID": {get_param: trustee_user_id}
+            "$TRUSTEE_PASSWORD": {get_param: trustee_password}
+            "$TRUST_ID": {get_param: trust_id}
+            "$AUTH_URL": {get_param: auth_url}
 
   make_cert:
     type: OS::Heat::SoftwareConfig
diff --git a/magnum/templates/kubernetes/kubeminion.yaml b/magnum/templates/kubernetes/kubeminion.yaml
index 55c916f..5c070b5 100644
--- a/magnum/templates/kubernetes/kubeminion.yaml
+++ b/magnum/templates/kubernetes/kubeminion.yaml
@@ -166,6 +166,27 @@ parameters:
     description: no proxies for docker
     default: ""
 
+  trustee_user_id:
+    type: string
+    description: user id of the trustee
+    default: ""
+
+  trustee_password:
+    type: string
+    description: password of the trustee
+    default: ""
+    hidden: true
+
+  trust_id:
+    type: string
+    description: id of the trust which is used by the trustee
+    default: ""
+    hidden: true
+
+  auth_url:
+    type: string
+    description: url for keystone
+
 resources:
 
   minion_wait_handle:
@@ -218,6 +239,10 @@ resources:
             $HTTPS_PROXY: {get_param: https_proxy}
             $NO_PROXY: {get_param: no_proxy}
             $WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
+            $TRUSTEE_USER_ID: {get_param: trustee_user_id}
+            $TRUSTEE_PASSWORD: {get_param: trustee_password}
+            $TRUST_ID: {get_param: trust_id}
+            $AUTH_URL: {get_param: auth_url}
 
   write_kubeconfig:
     type: OS::Heat::SoftwareConfig
-- 
2.5.5