Merge pull request #4 from CCI-MOC/feature/federation

With this pull request, federated logins work properly on a fresh installation.
CCI-MOC · Jun 24, 2018 · 458394b · 458394b
2 parents 3d858d2 + 0b57f44
commit 458394b
Show file tree

Hide file tree

Showing 7 changed files with 180 additions and 182 deletions.
diff --git a/overcloud-deploy.sh b/overcloud-deploy.sh
@@ -74,10 +74,12 @@ if [ -d patches/puppet-modules ]; then
 	echo "uploading puppet modules..."
 	upload-swift-artifacts \
 		-f puppet-modules.tar.gz \
-		--environment $PWD/templates/local_deploy.yaml
+		--environment $PWD/templates/puppet_modules.yaml
 
 	sed -i s/DeployArtifactURLs/PuppetModuleUrls/ \
-		$PWD/templates/local_deploy.yaml
+		$PWD/templates/puppet_modules.yaml
+
+	deploy_args+=(-e $PWD/templates/puppet_modules.yaml)
 fi
 
 if [ -f local_deploy_config.sh ]; then

diff --git a/scripts/restart-haproxy b/scripts/restart-haproxy
@@ -0,0 +1,7 @@
+#!/usr/bin/ansible-playbook
+
+- hosts: controller
+  tasks:
+    - shell: >-
+        docker container ls -q --filter name=haproxy |
+        xargs -ICID docker restart CID
diff --git a/scripts/restart-keystone b/scripts/restart-keystone
@@ -0,0 +1,6 @@
+#!/usr/bin/ansible-playbook
+
+- hosts: controller
+  tasks:
+    - shell: >-
+        docker restart keystone
diff --git a/templates/deploy.yaml b/templates/deploy.yaml
@@ -1,4 +1,16 @@
 ---
+resource_registry:
+
+  # These lines activate our network interface configuration files.
+  # Notice that because we are using pre-provisioned servers, our
+  # roles are named ComputeDeployedServer and
+  # ControllerDeployedServer, rather than Compute and Controller.
+  OS::TripleO::ComputeDeployedServer::Net::SoftwareConfig:
+    network/config/compute.yaml
+  OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig:
+    network/config/controller.yaml
+  OS::TripleO::NodeExtraConfigPost: extraconfig.yaml
+
 parameter_defaults:
 
   # The CloudName is used in public API endpoints.
@@ -216,5 +228,9 @@ parameter_defaults:
   KeystoneIdentityProviders:
     moc:
       remote_id: https://sso.massopen.cloud/auth/realms/moc
-      rules: {get_file: ./rules.json}
+      rules:
+        - local:
+            - user: {name: '{0}'}
+          remote:
+            - {type: OIDC-preferred_username}
       protocol: openid
diff --git a/templates/extraconfig.yaml b/templates/extraconfig.yaml
@@ -6,9 +6,12 @@ parameters:
     type: json
   FloatingNetworkVlanID:
     type: string
+  KeystoneIdentityProviders:
+    type: json
+    default: {}
 
 resources:
-  ExtraConfig:
+  FinishNetworkConfig:
     type: OS::Heat::SoftwareConfig
     properties:
       group: script
@@ -40,17 +43,149 @@ resources:
           params:
             "@VLANID@": {get_param: FloatingNetworkVlanID}
 
-  ExtraDeployments:
+  FinishNetworkDeployments:
     type: OS::Heat::SoftwareDeploymentGroup
     properties:
       servers: {get_param: servers}
-      config: {get_resource: ExtraConfig}
+      config: {get_resource: FinishNetworkConfig}
       actions: ['CREATE']
 
-outputs:
-  deploy_status_code:
-    value: {get_attr: [ExtraDeployments, deploy_status_codes]}
-  deploy_stdouts:
-    value: {get_attr: [ExtraDeployments, deploy_stdouts]}
-  deploy_stderrs:
-    value: {get_attr: [ExtraDeployments, deploy_stderrs]}
+  KeystoneFederationConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ansible
+      inputs:
+        - name: keystone_identity_providers
+      config: |
+        - hosts: localhost
+          connection: local
+          tasks:
+            # We want this script to run once on one of the
+            # controllers. We first check to see if we're running on
+            # the bootstrap node, but this is only unique per role
+            # (so, e.g., there will be a bootstrap node for the
+            # compute services as well).
+            - name: get bootstrap nodeid
+              command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid
+              register: bootstrap_node
+
+            # In order to identify whether or not we're running on a
+            # controller, we look at the list of active service names.
+            - name: get service names
+              command: hiera -c /etc/puppet/hiera.yaml service_names
+              register: service_names
+
+            - set_fact:
+                is_bootstrap_node: >-
+                  {{ bootstrap_node.stdout|lower == ansible_hostname|lower }}
+                has_keystone: >-
+                  {{ 'keystone' in service_names.stdout|from_json }}
+
+            # We only run the remainder of this playbook if this is a
+            # bootstrap node *and* it is running keystone.
+            - when: is_bootstrap_node and has_keystone
+              block:
+                - name: create temporary directory
+                  command: "mktemp -td federationXXXXXX"
+                  register: tempdir
+
+                - name: get keystone admin password
+                  command: hiera -c /etc/puppet/hiera.yaml keystone::admin_password
+                  register: keystone_admin_password
+
+                - name: get keystone internal endpoint
+                  command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::internal_url
+                  register: keystone_endpoint_internal
+
+                - name: get keystone region
+                  command: hiera -c /etc/puppet/hiera.yaml keystone::endpoint::region
+                  register: keystone_region
+
+                - name: write mapping rules to tempdir
+                  copy:
+                    dest: "{{ tempdir.stdout }}/rules-{{ item.key }}.json"
+                    content: "{{ item.value.rules|to_nice_json }}"
+                  with_dict: "{{ keystone_identity_providers }}"
+
+                - file:
+                    path: /etc/openstack
+                    state: directory
+                    owner: root
+                    group: root
+                    mode: 0700
+
+                - copy:
+                    dest: /etc/openstack/clouds.yaml
+                    owner: root
+                    group: root
+                    mode: "0600"
+                    content: |-
+                      clouds:
+                        overcloud:
+                          auth:
+                            username: admin
+                            project_name: admin
+                            password: "{{ keystone_admin_password.stdout }}"
+                            auth_url: "{{ keystone_endpoint_internal.stdout }}"
+                          region: "{{ keystone_region.stdout }}"
+                          identity_api_version: 3
+
+                - name: check if identity providers exist
+                  command: >-
+                    openstack --os-cloud overcloud identity provider show {{ item.key }}
+                  ignore_errors: true
+                  with_dict: "{{ keystone_identity_providers }}"
+                  register: providers
+
+                - name: create identity providers
+                  command: >-
+                    openstack --os-cloud overcloud identity provider create
+                    --remote-id {{ item.item.value.remote_id }} {{ item.item.key }}
+                  when: item is failed
+                  with_items: "{{ providers.results }}"
+                  
+                - name: check if mapping exists
+                  command: >-
+                    openstack --os-cloud overcloud mapping show {{ item.key }}-mapping
+                  ignore_errors: true
+                  with_dict: "{{ keystone_identity_providers }}"
+                  register: mappings
+
+                - name: create mapping
+                  command: >-
+                    openstack --os-cloud overcloud mapping create
+                    --rules "{{ tempdir.stdout }}/rules-{{ item.item.key }}.json"
+                    {{ item.item.key }}-mapping
+                  when: item is failed
+                  with_items: "{{ mappings.results }}"
+
+                - name: check if federation protocol exists
+                  command: >-
+                    openstack --os-cloud overcloud federation protocol show
+                    --identity-provider {{ item.key }} {{ item.value.protocol }}
+                  ignore_errors: true
+                  with_dict: "{{ keystone_identity_providers }}"
+                  register: protocols
+
+                - name: create federation protocol
+                  command: >-
+                    openstack --os-cloud overcloud federation protocol
+                    create {{ item.item.value.protocol }}
+                    --mapping {{ item.item.key }}-mapping
+                    --identity-provider {{ item.item.key }}
+                  when: item is failed
+                  with_items: "{{ protocols.results }}"
+              always:
+                - file:
+                    path: "{{ tempdir.stdout }}"
+                    state: absent
+                  ignore_errors: true
+
+  KeystoneFederationDeployments:
+    type: OS::Heat::SoftwareDeploymentGroup
+    properties:
+      servers: {get_param: servers}
+      config: {get_resource: KeystoneFederationConfig}
+      actions: ['CREATE']
+      input_values:
+        keystone_identity_providers: {get_param: KeystoneIdentityProviders}
diff --git a/templates/services.yaml b/templates/services.yaml
@@ -1,19 +1,9 @@
 ---
 resource_registry:
 
-  # These lines activate our network interface configuration files.
-  # Notice that because we are using pre-provisioned servers, our
-  # roles are named ComputeDeployedServer and
-  # ControllerDeployedServer, rather than Compute and Controller.
-  OS::TripleO::ComputeDeployedServer::Net::SoftwareConfig:
-    network/config/compute.yaml
-  OS::TripleO::ControllerDeployedServer::Net::SoftwareConfig:
-    network/config/controller.yaml
-  OS::TripleO::NodeExtraConfigPost: extraconfig.yaml
   OS::Tripleo::Services::PatchPuppetModules:
     ./services/patch-puppet-modules.yaml
-  OS::Tripleo::Services::ConfigureKeystoneFederation:
-    ./services/configure-keystone-federation.yaml
+  OS::Tripleo::Services::ConfigureKeystoneFederation: OS::Heat::None
 
 parameter_defaults:
   ControllerDeployedServerServices:
@@ -72,7 +62,6 @@ parameter_defaults:
     - OS::TripleO::Services::Keepalived
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Keystone
-    - OS::Tripleo::Services::ConfigureKeystoneFederation
     - OS::TripleO::Services::ManilaApi
     - OS::TripleO::Services::ManilaBackendCephFs
     - OS::TripleO::Services::ManilaBackendIsilon