From 7badcae198d10e8dc0777f013f0176b81ebe5e68 Mon Sep 17 00:00:00 2001
From: vegall <lvega@whitestack.com>
Date: Tue, 2 Jul 2024 15:30:30 +0000
Subject: [PATCH] Fix keystone to manage the OSM users/projects
Keystone was not used by default by OSM NBI. Instead, internal
authentication is used.
When NBI is configured to use Keystone as auth backend, we found that it
didn't bootstrap properly because there were no data in the MySQL DB
used by Keystone. The initilization of DB was supposed to be done by the
Keystone containers in keystone-deployment. However, those container
were not able to initialize the DB because they were running as regular
users instead of root users.
Keystone is thought as an infra solution, not as an application
solution. The community behind Keystone development agreed on that
behaviour.
Based on that, Keystone containers were adapted to run as root.
In addition, we decided to disable Keystone and MySQL as part of the
default values for OSM helm chart.
Change-Id: I0e7078b809abe858a69323d6e3e493e862d6e6ab
Signed-off-by: vegall <lvega@whitestack.com>
---
.gitignore | 2 ++
docker/Keystone/Dockerfile | 11 +++---
docker/Keystone/scripts/start.sh | 36 ++++++++++++++++---
.../keystone/keystone-configmap.yaml | 6 +++-
.../keystone/keystone-deployment.yaml | 7 ++--
.../templates/keystone/keystone-service.yaml | 2 +-
.../helm/osm/templates/nbi/nbi-configmap.yaml | 4 +++
installers/helm/osm/values.yaml | 4 +--
8 files changed, 54 insertions(+), 18 deletions(-)
diff --git a/.gitignore b/.gitignore
index e3ed0f85..3c3fce29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,5 @@ local
installers/charm/**/release/
__pycache__
.tox
+*Chart.lock
+installers/helm/osm/charts/
\ No newline at end of file
diff --git a/docker/Keystone/Dockerfile b/docker/Keystone/Dockerfile
index b00b3848..29089f55 100644
--- a/docker/Keystone/Dockerfile
+++ b/docker/Keystone/Dockerfile
@@ -26,8 +26,6 @@ EXPOSE 5000
WORKDIR /app
-COPY scripts/start.sh /app/start.sh
-
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y && \
@@ -54,8 +52,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
net-tools=1.60* \
mysql-client=8.0.* \
dnsutils=1:9.18.* && \
- rm -rf /var/lib/apt/lists/* && \
- chmod +x start.sh
+ rm -rf /var/lib/apt/lists/*
RUN pip3 install python-ldap==3.2.0 ldappool==3.0.0 python-openstackclient==6.2.0
@@ -82,7 +79,11 @@ RUN groupadd -g 1000 appuser && \
mkdir -p /etc/sudoers.d && \
echo "%appuser ALL= NOPASSWD: /sbin/service apache2 *" > /etc/sudoers.d/appuser
-USER appuser
+COPY scripts/start.sh /app/start.sh
+
+RUN chmod +x start.sh
+
+USER root
# database
ENV DB_HOST keystone-db
diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh
index dde1b5ae..7b4e008a 100755
--- a/docker/Keystone/scripts/start.sh
+++ b/docker/Keystone/scripts/start.sh
@@ -18,6 +18,8 @@
# contact: esousa@whitestack.com or glavado@whitestack.com
##
+set -e
+
DB_EXISTS=""
USER_DB_EXISTS=""
DB_NOT_EMPTY=""
@@ -121,6 +123,8 @@ sed -i '/^\[database\]$/,/^\[/ s/^connection = .*/connection = mysql+pymysql:\/\
# Setting Keystone tokens
sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf
+# Setting Keystone for the stderr
+sed -i '/\[DEFAULT\]/a use_stderr = true' /etc/keystone/keystone.conf
# Use LDAP authentication for Identity
if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then
@@ -222,6 +226,7 @@ wait_keystone_host
# Bootstrap Keystone service
if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
+ echo "Bootstraping keystone"
keystone-manage bootstrap \
--bootstrap-username "$ADMIN_USERNAME" \
--bootstrap-password "$ADMIN_PASSWORD" \
@@ -250,12 +255,33 @@ EOF
source setup_env
+# Function to retry a command up to 5 times
+retry() {
+ local n=1
+ local max=5
+ local delay=5
+ while true; do
+ "$@" && break || {
+ if [[ $n -lt $max ]]; then
+ ((n++))
+ echo "Command failed. Attempt $n/$max:"
+ sleep $delay;
+ else
+ echo "The command has failed after $n attempts."
+ return 1
+ fi
+ }
+ done
+}
+
# Create NBI User
-if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
- openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME"
- openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT"
- openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin
+if ! openstack user show nbi --domain default; then
+ echo "NBI user does not exist. Creating nbi user"
+ retry openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" || exit 1
+ retry openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" || exit 1
+ retry openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin || exit 1
fi
+echo "Done creating the NBI user"
if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then
if !(openstack domain list | grep -q $LDAP_AUTHENTICATION_DOMAIN_NAME); then
@@ -270,7 +296,7 @@ fi
while ps -ef | grep -v grep | grep -q apache2
do
- sleep 60
+ tail -f /var/log/keystone/keystone-manage.log
done
# Only reaches this point if apache2 stops running
diff --git a/installers/helm/osm/templates/keystone/keystone-configmap.yaml b/installers/helm/osm/templates/keystone/keystone-configmap.yaml
index 02a859a6..5c1cff1a 100644
--- a/installers/helm/osm/templates/keystone/keystone-configmap.yaml
+++ b/installers/helm/osm/templates/keystone/keystone-configmap.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.keystone.enabled -}}
+{{- if .Values.keystone.enabled }}
#######################################################################################
# Copyright ETSI Contributors and Others.
#
@@ -22,5 +22,9 @@ metadata:
labels:
{{- include "osm.labels" . | nindent 4 }}
data:
+{{- if .Values.mysql.enabled }}
DB_HOST: "{{ .Values.global.db.mysql.mysqlService }}"
+{{- else }}
+ DB_HOST: ""
+{{- end }}
{{- end }}
\ No newline at end of file
diff --git a/installers/helm/osm/templates/keystone/keystone-deployment.yaml b/installers/helm/osm/templates/keystone/keystone-deployment.yaml
index ba7e05d3..10798661 100644
--- a/installers/helm/osm/templates/keystone/keystone-deployment.yaml
+++ b/installers/helm/osm/templates/keystone/keystone-deployment.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.keystone.enabled -}}
+{{- if and .Values.keystone.enabled .Values.mysql.enabled -}}
#######################################################################################
# Copyright ETSI Contributors and Others.
#
@@ -48,9 +48,8 @@ spec:
- name: keystone
securityContext:
# readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- runAsNonRoot: true
- {{- toYaml .Values.global.securityContext | nindent 12 }}
+ allowPrivilegeEscalation: true
+ # runAsNonRoot: false
image: {{ include "osm.keystone.image" . }}
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
ports:
diff --git a/installers/helm/osm/templates/keystone/keystone-service.yaml b/installers/helm/osm/templates/keystone/keystone-service.yaml
index 7e4aa525..be3cf1da 100644
--- a/installers/helm/osm/templates/keystone/keystone-service.yaml
+++ b/installers/helm/osm/templates/keystone/keystone-service.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.keystone.enabled -}}
+{{- if and .Values.keystone.enabled }}
#######################################################################################
# Copyright ETSI Contributors and Others.
#
diff --git a/installers/helm/osm/templates/nbi/nbi-configmap.yaml b/installers/helm/osm/templates/nbi/nbi-configmap.yaml
index e4c6ac99..b76a4fb2 100644
--- a/installers/helm/osm/templates/nbi/nbi-configmap.yaml
+++ b/installers/helm/osm/templates/nbi/nbi-configmap.yaml
@@ -35,4 +35,8 @@ data:
OSMNBI_OTP_RETRY_COUNT: {{ .Values.nbi.smtp.otpRetryCount }}
OSMNBI_OTP_EXPIRY_TIME: {{ .Values.nbi.smtp.otpExpiryTime }}
{{- end }}
+ {{- if .Values.keystone.enabled }}
+ OSMNBI_AUTHENTICATION_BACKEND: "keystone"
+ OSMNBI_AUTHENTICATION_AUTH_URL: "http://keystone:{{ .Values.keystone.service.port }}/v3"
+ {{- end }}
{{- end }}
diff --git a/installers/helm/osm/values.yaml b/installers/helm/osm/values.yaml
index da9fe7ea..c5e2821b 100644
--- a/installers/helm/osm/values.yaml
+++ b/installers/helm/osm/values.yaml
@@ -208,7 +208,7 @@ kafka:
# replicaCount: 1
keystone:
- enabled: true
+ enabled: false
service:
port: 5000
image: {}
@@ -252,7 +252,7 @@ mon:
config: {}
mysql:
- enabled: true
+ enabled: false
image:
tag: "8.1-debian-11"
fullnameOverride: "mysql"
--
GitLab