Add support for openstack application credentials (kubernetes-sigs#6534)

* Add support for openstack application credentials * Add some lines for readability * Update external_openstack_tenant_id check Do not check external_openstack_tenant_id when application credentials are defined * Add check for external_openstack_domain_id * Fix typo
southbridgeio · Jan 12, 2021 · 96a09fe · 96a09fe
1 parent 6df9710
commit 96a09fe
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 6 deletions.
diff --git a/inventory/sample/group_vars/all/openstack.yml b/inventory/sample/group_vars/all/openstack.yml
@@ -35,6 +35,13 @@
 #   - ""
 # external_openstack_metadata_search_order: "configDrive,metadataService"
 
+## Application credentials to authenticate against Keystone API
+## Those settings will take precedence over username and password that might be set your environment
+## All of them are required
+# external_openstack_application_credential_name:
+# external_openstack_application_credential_id:
+# external_openstack_application_credential_secret:
+
 ## The tag of the external OpenStack Cloud Controller image
 # external_openstack_cloud_controller_image_tag: "latest"
 

diff --git a/.../kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml b/.../kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
@@ -4,24 +4,63 @@
     msg: "external_openstack_auth_url is missing"
   when: external_openstack_auth_url is not defined or not external_openstack_auth_url
 
-- name: External OpenStack Cloud Controller | check external_openstack_username value
+
+- name: External OpenStack Cloud Controller | check external_openstack_username or external_openstack_application_credential_name value
+  fail:
+    msg: "you must either set external_openstack_username or external_openstack_application_credential_name"
+  when:
+    - external_openstack_username is not defined or not external_openstack_username
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_id value
+  fail:
+    msg: "external_openstack_application_credential_id is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_id is not defined or not external_openstack_application_credential_id
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_secret value
   fail:
-    msg: "external_openstack_username is missing"
-  when: external_openstack_username is not defined or not external_openstack_username
+    msg: "external_openstack_application_credential_secret is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_password value
   fail:
     msg: "external_openstack_password is missing"
-  when: external_openstack_password is not defined or not external_openstack_password
+  when:
+    - external_openstack_username is defined
+    - external_openstack_username|length > 0
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+    - external_openstack_password is not defined or not external_openstack_password
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_region value
   fail:
     msg: "external_openstack_region is missing"
   when: external_openstack_region is not defined or not external_openstack_region
 
+
 - name: External OpenStack Cloud Controller | check external_openstack_tenant_id value
   fail:
     msg: "one of external_openstack_tenant_id or external_openstack_tenant_name must be specified"
   when:
-    - (external_openstack_tenant_id is not defined or not external_openstack_tenant_id) and
-      (external_openstack_tenant_name is not defined or not external_openstack_tenant_name)
+    - external_openstack_tenant_id is not defined or not external_openstack_tenant_id
+    - external_openstack_tenant_name is not defined or not external_openstack_tenant_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_domain_id value
+  fail:
+    msg: "one of external_openstack_domain_id or external_openstack_domain_name must be specified"
+  when:
+    - external_openstack_domain_id is not defined or not external_openstack_domain_id
+    - external_openstack_domain_name is not defined or not external_openstack_domain_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
diff --git a/...tes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2 b/...tes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
@@ -1,7 +1,18 @@
 [Global]
 auth-url="{{ external_openstack_auth_url }}"
+{% if external_openstack_application_credential_id is not defined and external_openstack_application_credential_name is not defined %}
 username="{{ external_openstack_username }}"
 password="{{ external_openstack_password }}"
+{% endif %}
+{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
+application-credential-id={{ external_openstack_application_credential_id }}
+{% endif %}
+{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
+application-credential-name={{ external_openstack_application_credential_name }}
+{% endif %}
+{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
+application-credential-secret={{ external_openstack_application_credential_secret }}
+{% endif %}
 region="{{ external_openstack_region }}"
 {% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
 tenant-id="{{ external_openstack_tenant_id }}"