diff --git a/.gitignore b/.gitignore index e3ed0f85327c42b98a44f0e76533e67ac050a13d..3c3fce295286ef8b4161180062cf755ef42fa29b 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,5 @@ local installers/charm/**/release/ __pycache__ .tox +*Chart.lock +installers/helm/osm/charts/ \ No newline at end of file diff --git a/docker/Keystone/Dockerfile b/docker/Keystone/Dockerfile index b00b384823c0c9e63fb0ba36b786fe7fded74a28..29089f55220d17e4085ed0885ee7206dfd87dfdf 100644 --- a/docker/Keystone/Dockerfile +++ b/docker/Keystone/Dockerfile @@ -26,8 +26,6 @@ EXPOSE 5000 WORKDIR /app -COPY scripts/start.sh /app/start.sh - RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \ DEBIAN_FRONTEND=noninteractive apt-get autoremove -y && \ @@ -54,8 +52,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ net-tools=1.60* \ mysql-client=8.0.* \ dnsutils=1:9.18.* && \ - rm -rf /var/lib/apt/lists/* && \ - chmod +x start.sh + rm -rf /var/lib/apt/lists/* RUN pip3 install python-ldap==3.2.0 ldappool==3.0.0 python-openstackclient==6.2.0 @@ -82,7 +79,11 @@ RUN groupadd -g 1000 appuser && \ mkdir -p /etc/sudoers.d && \ echo "%appuser ALL= NOPASSWD: /sbin/service apache2 *" > /etc/sudoers.d/appuser -USER appuser +COPY scripts/start.sh /app/start.sh + +RUN chmod +x start.sh + +USER root # database ENV DB_HOST keystone-db diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh index dde1b5ae687f701f1d2933aa17eedb0d730dc421..7b4e008a20a9b60ca9ebff5be22a9b9475e36f8e 100755 --- a/docker/Keystone/scripts/start.sh +++ b/docker/Keystone/scripts/start.sh @@ -18,6 +18,8 @@ # contact: esousa@whitestack.com or glavado@whitestack.com ## +set -e + DB_EXISTS="" USER_DB_EXISTS="" DB_NOT_EMPTY="" @@ -121,6 +123,8 @@ sed -i '/^\[database\]$/,/^\[/ s/^connection = .*/connection = mysql+pymysql:\/\ # Setting Keystone tokens sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf +# Setting Keystone for the stderr +sed -i '/\[DEFAULT\]/a use_stderr = true' /etc/keystone/keystone.conf # Use LDAP authentication for Identity if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then @@ -222,6 +226,7 @@ wait_keystone_host # Bootstrap Keystone service if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then + echo "Bootstraping keystone" keystone-manage bootstrap \ --bootstrap-username "$ADMIN_USERNAME" \ --bootstrap-password "$ADMIN_PASSWORD" \ @@ -250,12 +255,33 @@ EOF source setup_env +# Function to retry a command up to 5 times +retry() { + local n=1 + local max=5 + local delay=5 + while true; do + "$@" && break || { + if [[ $n -lt $max ]]; then + ((n++)) + echo "Command failed. Attempt $n/$max:" + sleep $delay; + else + echo "The command has failed after $n attempts." + return 1 + fi + } + done +} + # Create NBI User -if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then - openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" - openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" - openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin +if ! openstack user show nbi --domain default; then + echo "NBI user does not exist. Creating nbi user" + retry openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" || exit 1 + retry openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" || exit 1 + retry openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin || exit 1 fi +echo "Done creating the NBI user" if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then if !(openstack domain list | grep -q $LDAP_AUTHENTICATION_DOMAIN_NAME); then @@ -270,7 +296,7 @@ fi while ps -ef | grep -v grep | grep -q apache2 do - sleep 60 + tail -f /var/log/keystone/keystone-manage.log done # Only reaches this point if apache2 stops running diff --git a/installers/helm/osm/templates/keystone/keystone-configmap.yaml b/installers/helm/osm/templates/keystone/keystone-configmap.yaml index 02a859a608e1a879a4f04c340b1721775e346f21..5c1cff1aa4e989b2a83c0c69854aa9bf73ac4a4e 100644 --- a/installers/helm/osm/templates/keystone/keystone-configmap.yaml +++ b/installers/helm/osm/templates/keystone/keystone-configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if .Values.keystone.enabled }} ####################################################################################### # Copyright ETSI Contributors and Others. # @@ -22,5 +22,9 @@ metadata: labels: {{- include "osm.labels" . | nindent 4 }} data: +{{- if .Values.mysql.enabled }} DB_HOST: "{{ .Values.global.db.mysql.mysqlService }}" +{{- else }} + DB_HOST: "" +{{- end }} {{- end }} \ No newline at end of file diff --git a/installers/helm/osm/templates/keystone/keystone-deployment.yaml b/installers/helm/osm/templates/keystone/keystone-deployment.yaml index ba7e05d39353e71e3ee0021ebf145959a8e5fa61..10798661e3f4ed9ba0d3ea868f37e51d1d22b226 100644 --- a/installers/helm/osm/templates/keystone/keystone-deployment.yaml +++ b/installers/helm/osm/templates/keystone/keystone-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if and .Values.keystone.enabled .Values.mysql.enabled -}} ####################################################################################### # Copyright ETSI Contributors and Others. # @@ -48,9 +48,8 @@ spec: - name: keystone securityContext: # readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - {{- toYaml .Values.global.securityContext | nindent 12 }} + allowPrivilegeEscalation: true + # runAsNonRoot: false image: {{ include "osm.keystone.image" . }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} ports: diff --git a/installers/helm/osm/templates/keystone/keystone-service.yaml b/installers/helm/osm/templates/keystone/keystone-service.yaml index 7e4aa5257189f59005c6e76a5050f384716d981c..be3cf1da394ef821af2410eea73636fcdb640791 100644 --- a/installers/helm/osm/templates/keystone/keystone-service.yaml +++ b/installers/helm/osm/templates/keystone/keystone-service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.keystone.enabled -}} +{{- if and .Values.keystone.enabled }} ####################################################################################### # Copyright ETSI Contributors and Others. # diff --git a/installers/helm/osm/templates/nbi/nbi-configmap.yaml b/installers/helm/osm/templates/nbi/nbi-configmap.yaml index e4c6ac99d87afe89d710483754cbd9192cdcd077..b76a4fb255423283bf640fe27cc9c8f6f324bd52 100644 --- a/installers/helm/osm/templates/nbi/nbi-configmap.yaml +++ b/installers/helm/osm/templates/nbi/nbi-configmap.yaml @@ -35,4 +35,8 @@ data: OSMNBI_OTP_RETRY_COUNT: {{ .Values.nbi.smtp.otpRetryCount }} OSMNBI_OTP_EXPIRY_TIME: {{ .Values.nbi.smtp.otpExpiryTime }} {{- end }} + {{- if .Values.keystone.enabled }} + OSMNBI_AUTHENTICATION_BACKEND: "keystone" + OSMNBI_AUTHENTICATION_AUTH_URL: "http://keystone:{{ .Values.keystone.service.port }}/v3" + {{- end }} {{- end }} diff --git a/installers/helm/osm/values.yaml b/installers/helm/osm/values.yaml index da9fe7ea193e97f6b48c4d19110b65533922cd8a..c5e2821b76e642b70067f682a733205343c8a00f 100644 --- a/installers/helm/osm/values.yaml +++ b/installers/helm/osm/values.yaml @@ -208,7 +208,7 @@ kafka: # replicaCount: 1 keystone: - enabled: true + enabled: false service: port: 5000 image: {} @@ -252,7 +252,7 @@ mon: config: {} mysql: - enabled: true + enabled: false image: tag: "8.1-debian-11" fullnameOverride: "mysql"